From cd7fcab62fc20a163013710d6e3d95ff0fdd3aeb Mon Sep 17 00:00:00 2001 From: Taniadz Date: Tue, 19 Sep 2017 00:08:03 +0300 Subject: T387: prevent command injection in VyConf external validator execution --- src/value_checker.ml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/value_checker.ml b/src/value_checker.ml index 1f123c0..aa88f7b 100644 --- a/src/value_checker.ml +++ b/src/value_checker.ml @@ -17,7 +17,7 @@ let validate_value dir value_constraint value = *) let validator = F.concat dir v in let arg = BatOption.default "" c in - let safe_arg = "'" ^ Pcre.qreplace ~pat:"\"" ~templ:"\\\"" arg ^ "'" in + let safe_arg = Printf.sprintf "'%s'" (Pcre.qreplace ~pat:"\"" ~templ:"\\\"" arg) in let result = Unix.system (Printf.sprintf "%s %s %s" validator safe_arg value) in match result with | Unix.WEXITED 0 -> true -- cgit v1.2.3