-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remote shell execution in v1.12.2 #100
Comments
Thanks for the report. I don't know how I would build an allow list, especially considering the different processing backends. I will try adding a deny list for |
Did this one already get dealt with? Thought I saw something in the changes recently. |
There was an attempt on my side, but this issue showed there were other ways, so I reverted the non-fix. TBH I don't consider this important to address, because inferring processing options directly from user input is a terrible idea. Even if I fixed remote shell execution, you would still allow trivial DoSing. I believe I saw Active Storage adding a whitelist on their side, and they're the biggest dependants. |
Sounds good :) |
I confirmed from the 038e457 commit that there are other attack methods.
It seems that other unexpected behavior is possible, so I think it is better to make allow list and deal with it.
The text was updated successfully, but these errors were encountered: