maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Charles Duffy (JIRA)" <j...@codehaus.org>
Subject [jira] (MSHARED-297) Commandline class shell injection vulnerabilities
Date Wed, 23 Oct 2013 20:49:52 GMT
Charles Duffy created MSHARED-297:
-------------------------------------

             Summary: Commandline class shell injection vulnerabilities
                 Key: MSHARED-297
                 URL: https://jira.codehaus.org/browse/MSHARED-297
             Project: Maven Shared Components
          Issue Type: Bug
            Reporter: Charles Duffy
         Attachments: use-no-shell-r2.patch

The Commandline class can emit double-quoted strings without proper escaping, allowing shell
injection attacks.

The BourneShell class should unconditionally single-quote emitted strings (including the name
of the command itself being quoted), with {{'"'"'}} used for embedded single quotes, for maximum
safety across shells implementing a superset of POSIX quoting rules.

An appropriate fix has been built and applied against PLXUTILS; that patch is submitted here
in the hope that it will be useful, though it is not expected to apply to the maven-shared-utils
codebase without modification.

See PLXUTILS-161 for history/discussion.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message