Malicious mvnvm.properties can execute anything with user privileges
Issue #17
resolved
Currently, mvnvm.properties is just sourced, allowing arbitrary commands to be executed:
$ mkdir evil && cd evil
$ echo "echo hi there, how about a little rm -rf /?" > mvnvm.properties
$ mvn --version
hi there, how about a little rm -rf /?
[MVNVM] Using maven: 3.0.5
...
The file should be read differently so that this is not possible.
Comments (5)
-
repo owner
-
Account Deactivated reporter
Something like this:
mvn_version=`grep -m 1 "^mvn_version=" "$file" | cut -d'=' -f2-`I can prepare a PR. Is
mvn_versionthe only thing that's currently read? -
Account Deactivated
My understanding is that
mvn_versionis the only one currently used.But by the looks of it, the defaults set are
user_uri mvn_version local_dirWould it make sense to create something that can at least read these properties?
-
repo owner
-
assigned issue to
Robin Stocker
-
assigned issue to
-
Account Deactivated reporter
- changed status to resolved
PR was merged. Reads the properties that Matt mentioned and ignores others.
- Log in to comment
Suggestions on how to do that?