Comment 19 for bug 1520691
Revision history for this message
| edso (ed.so) wrote Re: [Duplicity-team] [Bug 1520691] Re: Shell Code Injection in hsi backend | #19 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
On 30.11.2015 23:05, Kenneth Loafman wrote:
> The whole idea of shell code injection implies bad player access, which is
> the issue that should be most important to close.
we backup to potentially insecure backends. that's what the encryption is for ;).. in theory a malicious party could fiddle with the file names on the backend and i am pretty sure no one tested this possibility with shell based backends so far wrt. shell injections.
so actually, disagreed. but as usual, it will be done if somebody does it ;) not earlier.
btw. python pexpect seems to shlex.split() too if it isn't provided a list of arguments
https:/
..ede/duply.net