Revision d430f3fb
Added by Evgeni Golov 8 months ago
| test/fixtures/settings.yml | ||
|---|---|---|
|
name: delivery_method
|
||
|
value: :test
|
||
|
attribute97:
|
||
|
name: ct_command
|
||
|
value: "['/usr/bin/cat']"
|
||
|
name: ct_location
|
||
|
value: "/usr/bin/cat"
|
||
|
attribute98:
|
||
|
name: fcct_command
|
||
|
value: "['/usr/bin/cat']"
|
||
|
name: fcct_location
|
||
|
value: "/usr/bin/cat"
|
||
|
attribute99:
|
||
|
name: ct_arguments
|
||
|
value: []
|
||
|
attribute100:
|
||
|
name: fcct_arguments
|
||
|
value: []
|
||
Also available in: Unified diff
Fixes #36759 - only call allowed transpilers
CVE-2022-3874: OS command injection via ct_command and fcct_command
Instead of allowing to call any command by changing a setting, only
allow specific paths to ct/fcct. If the user needs a different path,
they can set it via settings.yaml.