Cinder

check_ssh_injection does not guard against all uses of special characters

Bug #1398002 reported by git-harry on 2014-12-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Cinder	Fix Released	Undecided	git-harry	Cinder 2015.1.0 "kilo"

Bug Description

I don't know if there are any practical implications of this, based on how the code currently uses this function, however check_ssh_injection does not raise an exception for all occurrences of special characters.

This correctly identifies the sem-colon:
>>> cinder.utils.check_ssh_injection(('some_command', ';some_bad_command'))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "cinder/utils.py", line 177, in check_ssh_injection
    raise exception.SSHInjectionThreat(command=cmd_list)
cinder.exception.SSHInjectionThreat: SSH command injection detected: ('some_command', ';some_bad_command')

This doesn't detect the semi-colon:
>>> cinder.utils.check_ssh_injection(('some_command', ';', 'some_bad_command'))

git-harry (git-harry) on 2014-12-01

Changed in cinder:
assignee:	nobody → git-harry (git-harry)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-01: Fix proposed to cinder (master)

Fix proposed to branch: master
Review: https://review.openstack.org/138068

Changed in cinder:
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-01: Fix merged to cinder (master)

Reviewed: https://review.openstack.org/138068
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=78d9c0366b08c64f39930c2375d6622041fc8abe
Submitter: Jenkins
Branch: master

commit 78d9c0366b08c64f39930c2375d6622041fc8abe
Author: git-harry <email address hidden>
Date: Mon Dec 1 13:26:40 2014 +0000

Fix check_ssh_injection in cinder/utils

check_ssh_injection is used to prevent commands being modified using
specially constructed strings containing special characters.

    The function includes a loop over the special characters to compare
    them against each arg. If the special character is the same as the arg
    it gets ignored.

    This commit modifies this part of the function so that args that are
    exactly equal to one of the special characters will cause an exception
    to be raised.

Change-Id: I3a61e995ea41fc0324b5cb60e3c96e3d9dc56637
Closes-Bug: #1398002

Changed in cinder:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2014-12-18

Changed in cinder:
milestone:	none → kilo-1
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in cinder:
milestone:	kilo-1 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.