check_ssh_injection is used to prevent commands being modified using
specially constructed strings containing special characters.
The function includes a loop over the special characters to compare
them against each arg. If the special character is the same as the arg
it gets ignored.
This commit modifies this part of the function so that args that are
exactly equal to one of the special characters will cause an exception
to be raised.
Change-Id: I3a61e995ea41fc0324b5cb60e3c96e3d9dc56637
Closes-Bug: #
1398002
self.assertRaises(exception.SSHInjectionThreat,
utils.check_ssh_injection,
with_unquoted_space)
- with_danger_char = ['||', 'my_name@name_of_remote_computer']
+ with_danger_chars = ['||', 'my_name@name_of_remote_computer']
+ self.assertRaises(exception.SSHInjectionThreat,
+ utils.check_ssh_injection,
+ with_danger_chars)
+ with_danger_char = [';', 'my_name@name_of_remote_computer']
self.assertRaises(exception.SSHInjectionThreat,
utils.check_ssh_injection,
with_danger_char)
# Second, check whether danger character in command. So the shell
# special operator must be a single argument.
for c in ssh_injection_pattern:
- if arg == c:
+ if c not in arg:
continue
result = arg.find(c)
Code Review / openstack-build / cinder-build.git / commitdiff