You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I observe that the argument passed to -r is passed to a shell command for find as value for -regex without any form of quoting. As such, the regular expression is first interpreted by the shell and applies special meaning to e.g. ;, $, or |. Is this intentional? Using an alternative such as -r "sd[a-z]|nvme[0-9]" is interpreted as a pipeline and fails finding the nvme[0-9] command. The | can be escaped as \| to make it work as intended.
If one were to allow execution of check_smart_attributes with a user-supplied regex in an nrpe check (bad idea), this would open up a remote execution opportunity.
I note that fixing this will break the configuration of users who currently use the -r option with escaping and make their regular expressions stop matching without an indication of their checks becoming broken. Fixing this is not without cost.
If you are looking into shell quoting, stackoverflow has answers. If you rather keep this behavior as is instead of breaking backwards-compatibility, please close this issue. Thanks for considering.
The text was updated successfully, but these errors were encountered:
I observe that the argument passed to
-ris passed to a shell command forfindas value for-regexwithout any form of quoting. As such, the regular expression is first interpreted by the shell and applies special meaning to e.g.;,$, or|. Is this intentional? Using an alternative such as-r "sd[a-z]|nvme[0-9]"is interpreted as a pipeline and fails finding thenvme[0-9]command. The|can be escaped as\|to make it work as intended.If one were to allow execution of
check_smart_attributeswith a user-supplied regex in annrpecheck (bad idea), this would open up a remote execution opportunity.I note that fixing this will break the configuration of users who currently use the
-roption with escaping and make their regular expressions stop matching without an indication of their checks becoming broken. Fixing this is not without cost.If you are looking into shell quoting, stackoverflow has answers. If you rather keep this behavior as is instead of breaking backwards-compatibility, please close this issue. Thanks for considering.
The text was updated successfully, but these errors were encountered: