Maniphest T3410

Unsafe processing of special characters in CLI autocomplete
Confirmed, Unbreak Now!PublicBUG
Actions

Assigned To

Authored By

	zsdc
	Mar 15 2021, 12:20 PM

Tags

Referenced Files

None

Subscribers

Description

Unsafe processing of special characters in CLI autocomplete

Using the ' character inside a value in config mode leads to unsafe execution of this value. For example:

[edit]
vyos@vyos# set '`echo leaked > /tmp/cli`' [TAB]
[edit]
vyos@vyos# cat /tmp/cli 
leaked
[edit]
vyos@vyos#

Or even more funny (DO NOT DO THIS ON PRODUCTION):

set '`sudo systemctl reboot`'
[TAB to reboot immediately]

This is a critical bug, a proper processing of special characters should be added.

Details

Difficulty level: Normal (likely a few hours)
Version: 1.4-rolling-202103130218, 1.3-beta-202103150703, 1.2.6-S1
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Behavior change
Issue type: Unspecified (please specify)

Event Timeline

zsdc changed the task status from Open to Confirmed.Mar 15 2021, 12:20 PM

zsdc triaged this task as Unbreak Now! priority.

zsdc created this task.

It will be enough to add a quote here?

"\`"

https://github.com/vyos/vyatta-cfg/blob/fa2b172512aa024a9853166528c9e6601fde94d8/src/cli_new.c#L1886-L1888

syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.9), VyOS 1.3 Equuleus (1.3.0-epa3); removed VyOS 1.2 Crux, VyOS 1.3 Equuleus.Oct 17 2021, 1:37 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.0); removed VyOS 1.3 Equuleus (1.3.0-epa3).Nov 1 2021, 10:11 PM

pasik added a subscriber: pasik.Nov 2 2021, 8:59 AM

syncer assigned this task to dmbaturin.Nov 6 2021, 11:38 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.3); removed VyOS 1.3 Equuleus (1.3.0).Aug 29 2022, 7:04 AM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.4); removed VyOS 1.3 Equuleus (1.3.3).Jul 12 2023, 9:39 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:37 PM

syncer edited projects, added VyOS 1.3 Equuleus (1.3.7); removed VyOS 1.3 Equuleus (1.3.6).Feb 10 2024, 9:17 AM

dmbaturin edited projects, added VyOS 1.4 Sagitta (1.4.0-epa3); removed VyOS 1.2 Crux (VyOS 1.2.9), VyOS 1.4 Sagitta.Fri, Apr 12, 2:01 PM

dmbaturin set Issue type to Unspecified (please specify).