This is Google's cache of http://vapid.dhs.org/research/lipsiadmin-5.1.9-cmd-exec.txt. It is a snapshot of the page as it appeared on May 4, 2013 07:46:21 GMT. The current page could have changed in the meantime. Learn more
Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar.

Text-only version

if the file attachment name contains shell meta characters, commands
can be injected and executed remotely.


lipsiadmin-5.1.9/lib/data_base/attachment/attach.rb


 74       def run(cmd, params = "", expected_outcodes = 0)
 75         command = %Q<#{%Q[#{path_for_command(cmd)} #{params}].gsub(/\s+/, " ")}>
 76         command = "#{command} 2>#{bit_bucket}" if Attachment.options[:swallow_stderr]
 77         output = `#{command}`
 78         unless [expected_outcodes].flatten.include?($?.exitstatus)
 79           raise AttachmentCommandLineError, "Error while running #{cmd}"
 80         end
 81         output
 82       end