[mythtv-commits] Ticket #3892: Shell escape userid/password for Schedules Direct
MythTV
mythtv at cvs.mythtv.org
Mon Aug 27 16:16:54 UTC 2007
#3892: Shell escape userid/password for Schedules Direct
----------------------------------------------+-----------------------------
Reporter: sphery <mtdean at thirdcontact.com> | Owner: ijr
Type: patch | Status: new
Priority: minor | Milestone: unknown
Component: mythtv | Version: head
Severity: medium | Mlocked: 0
----------------------------------------------+-----------------------------
The attached patch shell escapes the userid and password for Schedules
Direct accounts to allow the use of the single quote character. Though
it's unlikely that a single quote exists in a valid userid, shell escaping
the userid will allow the user to see a useful error in the log rather
than simply seeing sh complain about a missing single quote. After this
patch, the mythfilldatabase code can handle any special characters that SD
can handle.
This does also have a small security benefit, especially for those running
the backend as root. In order to use the exploit, though, an attacker
would need other access to the system. So, the security side side of the
fix is probably less important than the usability/good error message side
of it.
This should probably also be applied to -fixes.
Thanks to xris for teaching me how to properly shell escape a single
quote.
--
Ticket URL: <http://svn.mythtv.org/trac/ticket/3892>
MythTV <http://svn.mythtv.org/trac>
MythTV
More information about the mythtv-commits
mailing list