Uploaded image for project: 'Mender'
  1. Mender
  2. MEN-2319

Artifact format: Avoid spaces and wildcards in files list

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Done
    • Priority: (None)
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:

      Description

      Acceptance criteria:

      • Make sure that when reading artifact v3 files in the payload section, no characters besides letters, digits and characters in the set ".,_-" are allowed.
      • A test which tries to read a crafted artifact that has a disallowed character
      • If MEN-2309 is already done, make sure deployments service has its mender-artifact vendor dependency updated to include this change

      The primary motivation for doing this is to prevent shell evaluation attacks in update modules using files with specially crafted names (such as wildcards or spaces). The effect of this would be similar to the Shell Shock security vulnerability.

      We cannot do this task after v3 is released, since constraining the filename validity would break existing artifacts.

        Attachments

          Container Issues

            Issue Links

              Activity

                People

                • Assignee:
                  apodogrocki Adam Podogrocki
                  Reporter:
                  a10040 Kristian Amlie
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support

                      Summary Panel