[ https://issues.apache.org/jira/browse/MESOS-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15386938#comment-15386938 ]
Gilbert Song edited comment on MESOS-5388 at 8/2/16 10:47 PM: -------------------------------------------------------------- https://reviews.apache.org/r/50215/ https://reviews.apache.org/r/50214/ https://reviews.apache.org/r/50534/ https://reviews.apache.org/r/50535/ https://reviews.apache.org/r/50216/ https://reviews.apache.org/r/50580/ https://reviews.apache.org/r/50581/ was (Author: gilbert): https://reviews.apache.org/r/50214/ https://reviews.apache.org/r/50215/ https://reviews.apache.org/r/50216/ > MesosContainerizerLaunch flags execute arbitrary commands via shell > ------------------------------------------------------------------- > > Key: MESOS-5388 > URL: https://issues.apache.org/jira/browse/MESOS-5388 > Project: Mesos > Issue Type: Bug > Components: containerization > Reporter: James DeFelice > Assignee: Gilbert Song > Labels: mesosphere, security > > For example, the docker volume isolator's containerPath is appended (without > sanitation) to a command that's executed in this manner. As such, it's > possible to inject arbitrary shell commands to be executed by mesos. > https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206 > Perhaps instead of strings these commands could/should be sent as string > arrays that could be passed as argv arguments w/o shell interpretation? -- This message was sent by Atlassian JIRA (v6.3.4#6332)