You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The "security" feature of scrubbing the input is terribly broken as far as I can tell.
The reason that it has the appearance of working is that the sed line actually doesn't do anything. Its regular expression does not match most input. Tests:
$ echo 'a = "b"' | sed -e "s/\s?([^=]+)\s?=\s?(\x22([^\x22]+)\x22|\x27([^\x27]+)\x27|(\S+))\s?/\1='\2'/p"
a = "b"
$ echo " a = "b" " | sed -e "s/\s?([^=]+)\s?=\s?(\x22([^\x22]+)\x22|\x27([^\x27]+)\x27|(\S+))\s?/\1='\2'/p"
a = "b"
$ echo "a=b " | sed -e "s/\s?([^=]+)\s?=\s?(\x22([^\x22]+)\x22|\x27([^\x27]+)\x27|(\S+))\s?/\1='\2'/p"
a=b
Now let's suppose it did work as the original author intended. I could still submit the line: a="b';rm -rf /;a=' "
Which would be expanded to:
a='b';rm -rf /;a=' '
Which would then get run as root. (Or whichever user the script is run as on the remote end - root by default I think).
In addition, the whole concept of just doing the keyscan at the remote end and then dumping it into your known_hosts file without any verification completely defeats the point of the known_hosts file. You'd be better off just turning StrictHostKeyChecking to no in your ssh config - the only exception to this I can see is if you want specifically to not care who one particular host is for one particular user.
The text was updated successfully, but these errors were encountered:
The "security" feature of scrubbing the input is terribly broken as far as I can tell.
The reason that it has the appearance of working is that the sed line actually doesn't do anything. Its regular expression does not match most input. Tests:
$ echo 'a = "b"' | sed -e "s/\s?([^=]+)\s?=\s?(\x22([^\x22]+)\x22|\x27([^\x27]+)\x27|(\S+))\s?/\1='\2'/p"
a = "b"
$ echo " a = "b" " | sed -e "s/\s?([^=]+)\s?=\s?(\x22([^\x22]+)\x22|\x27([^\x27]+)\x27|(\S+))\s?/\1='\2'/p"
a = "b"
$ echo "a=b " | sed -e "s/\s?([^=]+)\s?=\s?(\x22([^\x22]+)\x22|\x27([^\x27]+)\x27|(\S+))\s?/\1='\2'/p"
a=b
Now let's suppose it did work as the original author intended. I could still submit the line: a="b';rm -rf /;a=' "
Which would be expanded to:
a='b';rm -rf /;a=' '
Which would then get run as root. (Or whichever user the script is run as on the remote end - root by default I think).
In addition, the whole concept of just doing the keyscan at the remote end and then dumping it into your known_hosts file without any verification completely defeats the point of the known_hosts file. You'd be better off just turning StrictHostKeyChecking to no in your ssh config - the only exception to this I can see is if you want specifically to not care who one particular host is for one particular user.
The text was updated successfully, but these errors were encountered: