Open nyasukun opened 8 years ago
dave-tucker
commented
8 years ago @nyasukun thanks for the report, but I can't seem to replicate the issue.
I've run /docker pull;echo "malicious code" > /go/foo.txt from the client, but that file doesn't appear on the server.
Can you suggest another example I can try?
aduermael
commented
8 years ago @nyasukun @dave-tucker I'm currently working on fixing #12, commands won't be transmitted the same way after that. But we should keep that issue open, we will still have to take care of possible command injection.
nyasukun
commented
8 years ago @dave-tucker plugin checks if docker command by looking 2nd arg. and command line is created with plus joined string.
so command should be /docker pull<space>;<some_single_command> to reproduce.
This issue is cased from using shell to contact with goproxy. As @aduermael works, it seems to bypass a shell and this issue will be fixed automatically.
Thanks
put following command line in chat window; /docker pull ;xxxx
xxxx can be executed in dockercraft server side.