[MXS-23] bugzillaId-553: maxadmin cmdline arg command vs. filename ambiguity - a potential security issue? Created: 2014-01-22 Updated: 2024-02-02 Resolved: 2017-03-30 |
|
| Status: | Closed |
| Project: | MariaDB MaxScale |
| Component/s: | maxadmin |
| Affects Version/s: | 1.0.0 |
| Fix Version/s: | 2.2.0 |
| Type: | New Feature | Priority: | Minor |
| Reporter: | Hartmut Holzgraefe | Assignee: | Esa Korhonen |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | None | ||
| Environment: |
Linux |
||
| Sprint: | 2017-31 |
| Description |
|
This is imported from bugzilla item: http://bugs.mariadb.com/show_bug.cgi?id=553 The fix version in bugzilla shows "commit 5cfbfe39ac942e406de719612257ef797dca9c7f" Hartmut Holzgraefe 2014-09-22 18:15:46 UTC Problem is that a file name can be the same as a maxadmin command, e.g.: echo list clients > list\ servers will list clients, not servers, as "list servers" is now a valid, readable file .... While it's unlikely that someone names files like this by accident it may be an attack vector for maliciously changing the behaviour of maxscale invocations with comdline commands ... proposed fix: 1) either have an explicit " 2) or do not support giving a file name at all, just rely on input redirection, e.g.: maxadmin ... < cmdfile.txt instead of maxadmin ... cmdfile.txt The "mysql" command line client takes the 2nd approach, so that's probably what |
| Comments |
| Comment by Dipti Joshi (Inactive) [ 2015-03-09 ] |
|
This is comment history imported from bugzilla Comment 1 Markus Mäkelä 2014-12-04 12:18:53 UTC Comment 2 Markus Mäkelä 2014-12-04 12:31:28 UTC Comment 3 Mark Riddoch 2015-02-13 10:40:03 UTC Comment 4 Hartmut Holzgraefe 2015-02-13 10:47:47 UTC I'm also missing comments on my ambiguity and security concerns ... |
| Comment by markus makela [ 2015-05-09 ] |
|
Should this be reviewed and possibly changed? |