You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Elliotte Rusty Harold (Jira)" <ji...@apache.org> on 2020/07/20 12:48:00 UTC

[jira] [Closed] (MSHARED-297) Commandline class shell injection vulnerabilities

     [ https://issues.apache.org/jira/browse/MSHARED-297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Elliotte Rusty Harold closed MSHARED-297.
-----------------------------------------

> Commandline class shell injection vulnerabilities
> -------------------------------------------------
>
>                 Key: MSHARED-297
>                 URL: https://issues.apache.org/jira/browse/MSHARED-297
>             Project: Maven Shared Components
>          Issue Type: Bug
>          Components: maven-shared-utils
>            Reporter: Charles Duffy
>            Priority: Critical
>              Labels: SECURITY
>         Attachments: use-no-shell-r2.patch
>
>
> The Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
> The BourneShell class should unconditionally single-quote emitted strings (including the name of the command itself being quoted), with {{'"'"'}} used for embedded single quotes, for maximum safety across shells implementing a superset of POSIX quoting rules.
> An appropriate fix has been built and applied against PLXUTILS; that patch is submitted here in the hope that it will be useful, though it is not expected to apply to the maven-shared-utils codebase without modification.
> See PLXUTILS-161 for history/discussion.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)