-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixing command injection vulnerability #7
Conversation
Hi
Thanks for your PR.
* Looks better with an unique sed and -e argument
* can you provide a sample as vulnerability, with some should be great
Thanks again
|
Hi.
Regards, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not mysqli_real_escape_string?
@fufroma Currently mysqli_real_escape_string() is not used anywhere in AlternC You may propose a global patch to replace addslashes() by mysqli_real_escape_string() :o) |
Because previously we were lazy doesn't mean we should continue this way ^^ |
HI Do you solve #5 ? |
@camlafit the code seems to attempt fixing #1, #3, and #5 |
Hi In review code I see you normalize also su/sudo use. Should be better to set it as specific commit can you improve this. When you've do check/test about this we can merge it :) @vincib ? @albancrommer ? |
shell issue not applicable (you have an old update_mailman.sh, that may be vulnerable) |
Password field was vulnerable to command injection