WebUI could severely break users systems, please escape the registration code

Bug #2028514 reported by Christian Ehrhardt 
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Server
Fix Committed
Kevin Nasto

Bug Description

I've found my pwgen generated registration key to break your really nice "this is how you attach" info page.

What I got was a registration code that included a ` and due to that was considered a subcommand.

I assume you already try to avoid some of it via the rule of "Trailing spaces or ; or # symbols are not allowed." but IMHO it is not enough.

Worst case an attacker could set the registration key to interesting things and wreak havoc.
Example bad registration keys:
- 123`ls /boot`
- 123$(ls /boot)

Both would currently be allowed and we all know what happens if `ls` is replaced by `rm -rf` in those.
Or how about anything that includes passwd, ssh-import-id or sending data somewhere.
I guess you got my point.

Basic recommendation (you are free to resolve otherwise) of me would be to also prohibit the use of ' and always display the registration code inside of those like 'code'.

Revision history for this message
Mitch Burton (mitchburton) wrote :

Disallowing single-quote chars and wrapping the registration key in them (or otherwise escaping what could be interpreted as a sh command) seems sensible. Triaging this.

affects: landscape-client → landscape
Changed in landscape:
status: New → Confirmed
importance: Undecided → Medium
Changed in landscape:
assignee: nobody → Kevin Nasto (silverdrake11)
Changed in landscape:
status: Confirmed → Fix Committed
Revision history for this message
selman (sel123man) wrote :

how to get kodi

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.