Fix check_ssh_injection in cinder/utils
check_ssh_injection is used to prevent commands being modified using specially constructed strings containing special characters. The function includes a loop over the special characters to compare them against each arg. If the special character is the same as the arg it gets ignored. This commit modifies this part of the function so that args that are exactly equal to one of the special characters will cause an exception to be raised. Change-Id: I3a61e995ea41fc0324b5cb60e3c96e3d9dc56637 Closes-Bug: #1398002
This commit is contained in:
parent
408c764f4f
commit
78d9c0366b
|
@ -471,7 +471,11 @@ class GenericUtilsTestCase(test.TestCase):
|
|||
self.assertRaises(exception.SSHInjectionThreat,
|
||||
utils.check_ssh_injection,
|
||||
with_unquoted_space)
|
||||
with_danger_char = ['||', 'my_name@name_of_remote_computer']
|
||||
with_danger_chars = ['||', 'my_name@name_of_remote_computer']
|
||||
self.assertRaises(exception.SSHInjectionThreat,
|
||||
utils.check_ssh_injection,
|
||||
with_danger_chars)
|
||||
with_danger_char = [';', 'my_name@name_of_remote_computer']
|
||||
self.assertRaises(exception.SSHInjectionThreat,
|
||||
utils.check_ssh_injection,
|
||||
with_danger_char)
|
||||
|
|
|
@ -168,7 +168,7 @@ def check_ssh_injection(cmd_list):
|
|||
# Second, check whether danger character in command. So the shell
|
||||
# special operator must be a single argument.
|
||||
for c in ssh_injection_pattern:
|
||||
if arg == c:
|
||||
if c not in arg:
|
||||
continue
|
||||
|
||||
result = arg.find(c)
|
||||
|
|
Loading…
Reference in New Issue