Malicious mvnvm.properties can execute anything with user privileges
Issue #17
resolved
Currently, mvnvm.properties
is just sourced, allowing arbitrary commands to be executed:
$ mkdir evil && cd evil
$ echo "echo hi there, how about a little rm -rf /?" > mvnvm.properties
$ mvn --version
hi there, how about a little rm -rf /?
[MVNVM] Using maven: 3.0.5
...
The file should be read differently so that this is not possible.
Comments (5)
-
repo owner -
Account Deactivated reporter Something like this:
mvn_version=`grep -m 1 "^mvn_version=" "$file" | cut -d'=' -f2-`
I can prepare a PR. Is
mvn_version
the only thing that's currently read? -
Account Deactivated My understanding is that
mvn_version
is the only one currently used.But by the looks of it, the defaults set are
user_uri mvn_version local_dir
Would it make sense to create something that can at least read these properties?
-
repo owner -
assigned issue to
-
assigned issue to
-
Account Deactivated reporter - changed status to resolved
PR was merged. Reads the properties that Matt mentioned and ignores others.
- Log in to comment
Suggestions on how to do that?