-
Type:
Task
-
Status: Done
-
Priority:
(None)
-
Resolution: Fixed
-
Affects Version/s: None
-
Fix Version/s: None
-
Labels:
-
Epic Link:
Acceptance criteria:
- Make sure that when reading artifact v3 files in the payload section, no characters besides letters, digits and characters in the set ".,_-" are allowed.
- A test which tries to read a crafted artifact that has a disallowed character
- If
MEN-2309is already done, make sure deployments service has its mender-artifact vendor dependency updated to include this change
The primary motivation for doing this is to prevent shell evaluation attacks in update modules using files with specially crafted names (such as wildcards or spaces). The effect of this would be similar to the Shell Shock security vulnerability.
We cannot do this task after v3 is released, since constraining the filename validity would break existing artifacts.
- relates to
-
MEN-2309 Update deployments service with v3 format changes
-
- Done
-