Page MenuHomeVyOS Platform

Unsafe processing of special characters in CLI autocomplete
Confirmed, NormalPublicBUG

Description

Unsafe processing of special characters in CLI autocomplete

Using the ' character inside a value in config mode leads to unsafe execution of this value. For example:

[edit]
vyos@vyos# set '`echo leaked > /tmp/cli`' [TAB]
[edit]
vyos@vyos# cat /tmp/cli 
leaked
[edit]
vyos@vyos#

Or even more funny (DO NOT DO THIS ON PRODUCTION):

set '`sudo systemctl reboot`'
[TAB to reboot immediately]

This is a critical bug, a proper processing of special characters should be added.

Details

Version
1.4-rolling-202103130218, 1.3-beta-202103150703, 1.2.6-S1
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Event Timeline

zsdc changed the task status from Open to Confirmed.
zsdc triaged this task as Urgent! priority.
syncer lowered the priority of this task from Urgent! to Normal.Jun 16 2024, 2:53 PM
dmbaturin changed Issue type from Unspecified (please specify) to Bug (incorrect behavior).