You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@thrift.apache.org by "Felix Groebert (JIRA)" <ji...@apache.org> on 2016/08/04 10:26:20 UTC

[jira] [Commented] (THRIFT-3893) Command injection in format_go_output

    [ https://issues.apache.org/jira/browse/THRIFT-3893?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15407530#comment-15407530 ] 

Felix Groebert commented on THRIFT-3893:
----------------------------------------

https://git-wip-us.apache.org/repos/asf?p=thrift.git;a=blob;f=compiler/cpp/src/generate/t_go_generator.cc;h=f4ddfeb4e42353e2c3a61c071388ba88948fa7c9;hb=HEAD#l3658

> Command injection in format_go_output
> -------------------------------------
>
>                 Key: THRIFT-3893
>                 URL: https://issues.apache.org/jira/browse/THRIFT-3893
>             Project: Thrift
>          Issue Type: Bug
>          Components: Go - Compiler
>    Affects Versions: 0.9.3
>            Reporter: Felix Groebert
>              Labels: security
>   Original Estimate: 2m
>  Remaining Estimate: 2m
>
> format_go_output runs gofmt on a file_path which is derived from the service name. If a malicious user is able to provide a service name to a framework invoking thrift, a user-supplied service name could lead to shell command injection.
> A potential fix would be to escaping on the file_path or ensuring that it adheres to a whitelist of characters, e.g. [A-Za-z0-9_-].



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)