T387: prevent command injection in VyConf external validator execution

author: Taniadz <tdziubenko@ukr.net> 2017-09-19 00:08:03 +0300
committer: Taniadz <tdziubenko@ukr.net> 2017-09-19 00:08:03 +0300
commit: cd7fcab62fc20a163013710d6e3d95ff0fdd3aeb (patch)
tree: 6a833fd565ce9620d3602d6da8bdfff424c79e99 /src
parent: a41a93ff060dd04c692f1faa166973f2c5f0878c (diff)
download: vyconf-cd7fcab62fc20a163013710d6e3d95ff0fdd3aeb.tar.gz
vyconf-cd7fcab62fc20a163013710d6e3d95ff0fdd3aeb.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/value_checker.ml b/src/value_checker.ml
index 1f123c0..aa88f7b 100644
--- a/src/value_checker.ml
+++ b/src/value_checker.ml
@@ -17,7 +17,7 @@ let validate_value dir value_constraint value =
          *)
         let validator = F.concat dir v in
         let arg = BatOption.default "" c in
-        let safe_arg = "'" ^ Pcre.qreplace ~pat:"\"" ~templ:"\\\"" arg ^ "'" in
+        let safe_arg = Printf.sprintf "'%s'" (Pcre.qreplace ~pat:"\"" ~templ:"\\\"" arg) in
         let result = Unix.system (Printf.sprintf "%s %s %s" validator safe_arg value) in
         match result with
         | Unix.WEXITED 0 -> true
author	Taniadz <tdziubenko@ukr.net>	2017-09-19 00:08:03 +0300
committer	Taniadz <tdziubenko@ukr.net>	2017-09-19 00:08:03 +0300
commit	cd7fcab62fc20a163013710d6e3d95ff0fdd3aeb (patch)
tree	6a833fd565ce9620d3602d6da8bdfff424c79e99 /src
parent	a41a93ff060dd04c692f1faa166973f2c5f0878c (diff)
download	vyconf-cd7fcab62fc20a163013710d6e3d95ff0fdd3aeb.tar.gz vyconf-cd7fcab62fc20a163013710d6e3d95ff0fdd3aeb.zip