mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jamespe...@me.com>
Subject Re: Review Request 56527: Disallowed special path components in IDs.
Date Sat, 11 Feb 2017 01:05:55 GMT


> On Feb 10, 2017, at 5:02 PM, Jiang Yan Xu <yan@jxu.me> wrote:
> 
> 
> This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/56527/
> 
> On February 10th, 2017, 10:11 a.m. PST, James Peach wrote:
> 
> src/common/validation.cpp (Diff revision 1)
> namespace mesos {
> 42	
>       id == string{os::HOME_DIRECTORY}) {
> '~' is a bad choice for a ID, but by itself it is not a security issue. You ought to
check for id[0] != '~' (or just ban it anywhere in the string).
> "~" is "by itself" as much as a security issue as ".." right? 

Yep you are right, I forgot that case :)


> but yeah I overlooked other forms of Tilde-Expansion. As jpeach pointed out offline,
perhaps instead of disallowing certain charaters, it's easier to only allow certain chars.
We should discuss with the community on that though. I'll drop "~" for now.
> 
> - Jiang Yan
> 
> 
> On February 9th, 2017, 11:05 p.m. PST, Jiang Yan Xu wrote:
> 
> Review request for mesos and James Peach.
> By Jiang Yan Xu.
> Updated Feb. 9, 2017, 11:05 p.m.
> 
> Bugs: MESOS-7086
> Repository: mesos
> Description
> 
> - Such IDs should lead to surprising or even dangerous agent side
> directory structure.
> Testing
> 
> make check.
> Diffs
> 
> src/common/validation.cpp (0f1a02286d8431acfee6136e8ada49b0ac746897)
> src/tests/master_validation_tests.cpp (0c2649089d7fd29eb021ac75c71e6a74368577dc)
> src/tests/slave_validation_tests.cpp (3d17799ed04951fb56524db0f5d89347192300b2)
> View Diff

Mime
  • Unnamed multipart/alternative (inline, 7-Bit, 0 bytes)
View raw message