WebUI could severely break users systems, please escape the registration code
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Landscape Server |
Fix Committed
|
Medium
|
Kevin Nasto | ||
Bug Description
I've found my pwgen generated registration key to break your really nice "this is how you attach" info page.
What I got was a registration code that included a ` and due to that was considered a subcommand.
I assume you already try to avoid some of it via the rule of "Trailing spaces or ; or # symbols are not allowed." but IMHO it is not enough.
Worst case an attacker could set the registration key to interesting things and wreak havoc.
Example bad registration keys:
- 123`ls /boot`
- 123$(ls /boot)
Both would currently be allowed and we all know what happens if `ls` is replaced by `rm -rf` in those.
Or how about anything that includes passwd, ssh-import-id or sending data somewhere.
I guess you got my point.
Basic recommendation (you are free to resolve otherwise) of me would be to also prohibit the use of ' and always display the registration code inside of those like 'code'.
| Mitch Burton (mitchburton) wrote | #1 |
| affects: | landscape-client → landscape |
| Changed in landscape: | |
| status: | New → Confirmed |
| importance: | Undecided → Medium |
| Changed in landscape: | |
| assignee: | nobody → Kevin Nasto (silverdrake11) |
| Changed in landscape: | |
| status: | Confirmed → Fix Committed |
| selman (sel123man) wrote | #2 |
Disallowing single-quote chars and wrapping the registration key in them (or otherwise escaping what could be interpreted as a sh command) seems sensible. Triaging this.