Opened 17 years ago
Closed 17 years ago
#3892 closed patch (fixed)
Shell escape userid/password for Schedules Direct
| Reported by: | Owned by: | Isaac Richards | |
|---|---|---|---|
| Priority: | minor | Milestone: | unknown |
| Component: | mythtv | Version: | head |
| Severity: | medium | Keywords: | |
| Cc: | Ticket locked: | no |
Description
The attached patch shell escapes the userid and password for Schedules Direct accounts to allow the use of the single quote character. Though it's unlikely that a single quote exists in a valid userid, shell escaping the userid will allow the user to see a useful error in the log rather than simply seeing sh complain about a missing single quote. After this patch, the mythfilldatabase code can handle any special characters that SD can handle.
This does also have a small security benefit, especially for those running the backend as root. In order to use the exploit, though, an attacker would need other access to the system. So, the security side side of the fix is probably less important than the usability/good error message side of it.
This should probably also be applied to -fixes.
Thanks to xris for teaching me how to properly shell escape a single quote.
Attachments (1)
Change History (3)
Changed 17 years ago by
| Attachment: | mythtv-mythfilldatabase-single_quote_in_password.patch added |
|---|
(In [14347]) Escape single quotes in the Schedules Direct username and password.
Thanks to Sphery for the patch and Xris for his help and assistance.
Refs #3892