Send patches - preferably formatted by git format-patch - to patches at archlinux32 dot org.
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2017-10-23 12:29:37 +0200
committerErich Eckner <git@eckner.net>2017-10-23 12:29:37 +0200
commit001b21871c61e3a13a949173e429f86ea362959d (patch)
tree5b563f944b484d1c46916f82d7c7592f05d12d2f
parentd05885c1afb96dc893d4eb763d2ee577a7686fb5 (diff)
bin/slave-build-connect: repair, but still preven shell injections
-rwxr-xr-xbin/slave-build-connect22
1 files changed, 15 insertions, 7 deletions
diff --git a/bin/slave-build-connect b/bin/slave-build-connect
index e773256..84abba1 100755
--- a/bin/slave-build-connect
+++ b/bin/slave-build-connect
@@ -5,13 +5,21 @@
if [ "${SSH_ORIGINAL_COMMAND%% *}" = "get-assignment" ] || \
[ "${SSH_ORIGINAL_COMMAND%% *}" = "return-assignment" ]; then
- export slave="$1"
- # this is somewhat cumbersome, but we want:
- # - no expansion of special shell-chars (*,;,\n,&&,~,$HOME)
- # - splitting of arguments on spaces
- echo "${SSH_ORIGINAL_COMMAND#* }" | \
- xargs "${base_dir}/bin/${SSH_ORIGINAL_COMMAND%% *}"
+
+ # small check to prevent some shell-injections
+ if echo "${SSH_ORIGINAL_COMMAND}" | \
+ grep -q '[^-a-zA-Z0-9.+_]'; then
+
+ >&2 printf 'Invalid command: "%s".\n' "${SSH_ORIGINAL_COMMAND}"
+ exit 42
+
+ fi
+
+ slave="$1" /bin/sh -c "${base_dir}/bin/${SSH_ORIGINAL_COMMAND}"
+
else
- >&2 echo "Invalid command: '${SSH_ORIGINAL_COMMAND%% *}'"
+
+ >&2 printf 'Invalid command: "%s".\n' "${SSH_ORIGINAL_COMMAND}"
exit 42
+
fi