Page MenuHomeVyOS Platform

Unsafe processing of special characters in CLI autocomplete
Confirmed, Unbreak Now!PublicBUG

Description

Unsafe processing of special characters in CLI autocomplete

Using the ' character inside a value in config mode leads to unsafe execution of this value. For example:

[edit]
vyos@vyos# set '`echo leaked > /tmp/cli`' [TAB]
[edit]
vyos@vyos# cat /tmp/cli 
leaked
[edit]
vyos@vyos#

Or even more funny (DO NOT DO THIS ON PRODUCTION):

set '`sudo systemctl reboot`'
[TAB to reboot immediately]

This is a critical bug, a proper processing of special characters should be added.

Details

Difficulty level
Normal (likely a few hours)
Version
1.4-rolling-202103130218, 1.3-beta-202103150703, 1.2.6-S1
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change

Event Timeline

zsdc changed the task status from Open to Confirmed.Mar 15 2021, 12:20 PM
zsdc triaged this task as Unbreak Now! priority.
zsdc created this task.