Hi Erik,
The $tu is the TO URI, so it should follow the URI syntax, which does
not allow shell specific chars in it (like " ' | > aso). So it should
be safe. Nevertheless, you should force a URI specific parsing using the
{uri} transformation and try to separately push as params the username
and domain - again, just to be safe.
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/7/22 5:39 PM, Erik H wrote:
Hi!
What are the recommended practices to avoid command injection when
using the exec module with user-defined variables as arguments?
For example, say we have this code:
exec("/home/.../myscript.sh '$tu'")
(or with whatever user-defined value other than $tu we may want to use)
Would this be vulnerable to command injection, or does OpenSIPS
recognize that the quoted "$tu" value should be escaped? If it is
vulnerable, how can we best avoid this? Does it suffice to use
s.escape.common on the value?
Regards,
Erik
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
_______________________________________________
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
