[jira] [Updated] (MESOS-5388) MesosContainerizerLaunch flags execute arbitrary commands via shell.

Gilbert Song (JIRA) Tue, 02 Aug 2016 16:52:03 -0700

     [ 
https://issues.apache.org/jira/browse/MESOS-5388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Gilbert Song updated MESOS-5388:
--------------------------------
    Affects Version/s: 1.0.0
         Story Points: 5  (was: 3)
               Labels: containerizer isolator mesosphere security  (was: 
mesosphere security)
        Fix Version/s: 1.0.1

> MesosContainerizerLaunch flags execute arbitrary commands via shell.
> --------------------------------------------------------------------
>
>                 Key: MESOS-5388
>                 URL: https://issues.apache.org/jira/browse/MESOS-5388
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization
>    Affects Versions: 1.0.0
>            Reporter: James DeFelice
>            Assignee: Gilbert Song
>              Labels: containerizer, isolator, mesosphere, security
>             Fix For: 1.0.1
>
>
> For example, the docker volume isolator's containerPath is appended (without 
> sanitation) to a command that's executed in this manner. As such, it's 
> possible to inject arbitrary shell commands to be executed by mesos.
> https://github.com/apache/mesos/blob/17260204c833c643adf3d8f36ad8a1a606ece809/src/slave/containerizer/mesos/launch.cpp#L206
> Perhaps instead of strings these commands could/should be sent as string 
> arrays that could be passed as argv arguments w/o shell interpretation?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (MESOS-5388) MesosContainerizerLaunch flags execute arbitrary commands via shell.

Reply via email to