[OpenSIPS-Users] Best practices regarding exec module command injection

Erik H erikh998877 at gmail.com
Fri Sep 9 08:57:55 UTC 2022


Hi Bogdan,

Thanks for the reply! What about the general case, where it's not
necessarily $tu that is being used but any user-supplied variable?
Would s.escape.common suffice to avoid command injection?

Regards,
Erik

Den tors 8 sep. 2022 kl 11:07 skrev Bogdan-Andrei Iancu <bogdan at opensips.org>:
>
> Hi Erik,
>
> The $tu is the TO URI, so it should follow the URI syntax, which does
> not allow shell specific chars in it (like " ' | >  aso). So it should
> be safe. Nevertheless, you should force a URI specific parsing using the
> {uri} transformation and try to separately push as params the username
> and domain - again, just to be safe.
>
> Regards,
>
> Bogdan-Andrei Iancu
>
> OpenSIPS Founder and Developer
>    https://www.opensips-solutions.com
> OpenSIPS Summit 27-30 Sept 2022, Athens
>    https://www.opensips.org/events/Summit-2022Athens/
>
> On 9/7/22 5:39 PM, Erik H wrote:
> > Hi!
> >
> > What are the recommended practices to avoid command injection when
> > using the exec module with user-defined variables as arguments?
> >
> > For example, say we have this code:
> >
> > exec("/home/.../myscript.sh '$tu'")
> >
> > (or with whatever user-defined value other than $tu we may want to use)
> >
> > Would this be vulnerable to command injection, or does OpenSIPS
> > recognize that the quoted "$tu" value should be escaped? If it is
> > vulnerable, how can we best avoid this? Does it suffice to use
> > s.escape.common on the value?
> >
> > Regards,
> > Erik
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.opensips.org
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>



More information about the Users mailing list