Opened 12 years ago

Closed 12 years ago

#3892 closed patch (fixed)

Shell escape userid/password for Schedules Direct

Reported by: sphery <mtdean@…> Owned by: Isaac Richards
Priority: minor Milestone: unknown
Component: mythtv Version: head
Severity: medium Keywords:
Cc: Ticket locked: no

Description

The attached patch shell escapes the userid and password for Schedules Direct accounts to allow the use of the single quote character. Though it's unlikely that a single quote exists in a valid userid, shell escaping the userid will allow the user to see a useful error in the log rather than simply seeing sh complain about a missing single quote. After this patch, the mythfilldatabase code can handle any special characters that SD can handle.

This does also have a small security benefit, especially for those running the backend as root. In order to use the exploit, though, an attacker would need other access to the system. So, the security side side of the fix is probably less important than the usability/good error message side of it.

This should probably also be applied to -fixes.

Thanks to xris for teaching me how to properly shell escape a single quote.

Attachments (1)

mythtv-mythfilldatabase-single_quote_in_password.patch (1.0 KB) - added by sphery <mtdean@…> 12 years ago.

Download all attachments as: .zip

Change History (3)

Changed 12 years ago by sphery <mtdean@…>

comment:1 Changed 12 years ago by stuartm

(In [14347]) Escape single quotes in the Schedules Direct username and password.

Thanks to Sphery for the patch and Xris for his help and assistance.

Refs #3892

comment:2 Changed 12 years ago by stuartm

Resolution: fixed
Status: newclosed

(In [14348]) Backports [14347] to -fixes.

Escape single quotes in the Schedules Direct username and password.

Thanks to Sphery for the patch and Xris for his help and assistance.

Fixes #3892

Note: See TracTickets for help on using tickets.