Closed DylanPiercey closed 4 years ago
@natterstefan do you think it's fair to release this as a patch?
@DylanPiercey Yes, it's fair. But considering what's also waiting in master, I suggest we release a new feature version (we briefly talked about it already), don't you think? We must also update CHANGES.md, missed that in the previous PRs: https://d.pr/i/CJTWPm/Fr4qiTTkBY.
Currently it is possible for an attacker to execute an arbitrary command on a host system by using the
find
api since the argument provided is passed directly into a command string.eg:
This PR fixes this potential security issue by first validating the IP address for the
find
api.//cc @natterstefan