[OpenSIPS-Users] Best practices regarding exec module command injection
Bogdan-Andrei Iancu
bogdan at opensips.org
Thu Sep 8 09:07:38 UTC 2022
Hi Erik,
The $tu is the TO URI, so it should follow the URI syntax, which does
not allow shell specific chars in it (like " ' | > aso). So it should
be safe. Nevertheless, you should force a URI specific parsing using the
{uri} transformation and try to separately push as params the username
and domain - again, just to be safe.
Regards,
Bogdan-Andrei Iancu
OpenSIPS Founder and Developer
https://www.opensips-solutions.com
OpenSIPS Summit 27-30 Sept 2022, Athens
https://www.opensips.org/events/Summit-2022Athens/
On 9/7/22 5:39 PM, Erik H wrote:
> Hi!
>
> What are the recommended practices to avoid command injection when
> using the exec module with user-defined variables as arguments?
>
> For example, say we have this code:
>
> exec("/home/.../myscript.sh '$tu'")
>
> (or with whatever user-defined value other than $tu we may want to use)
>
> Would this be vulnerable to command injection, or does OpenSIPS
> recognize that the quoted "$tu" value should be escaped? If it is
> vulnerable, how can we best avoid this? Does it suffice to use
> s.escape.common on the value?
>
> Regards,
> Erik
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
More information about the Users
mailing list