Details
-
Type:
Task
-
Status: Done
-
Priority:
(None)
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Labels:
-
Sprint:MEN Sprint 78
-
Story Points:5
-
Epic Link:
-
Backlog:yes
Description
Acceptance criteria:
- Make sure that when reading artifact v3 files in the payload section, no characters besides letters, digits and characters in the set ".,_-" are allowed.
- A test which tries to read a crafted artifact that has a disallowed character
- If
MEN-2309is already done, make sure deployments service has its mender-artifact vendor dependency updated to include this change
The primary motivation for doing this is to prevent shell evaluation attacks in update modules using files with specially crafted names (such as wildcards or spaces). The effect of this would be similar to the Shell Shock security vulnerability.
We cannot do this task after v3 is released, since constraining the filename validity would break existing artifacts.
Attachments
Release management
Issue Links
- relates to
-
MEN-2309 Update deployments service with v3 format changes
-
- Done
-