lshell is a shell coded in Python, that lets you restrict a user's environment to limited sets of commands, choose to enable/disable any command over SSH (e.g. SCP, SFTP, rsync, etc.), log user's commands, implement timing restriction, and more.
GNU General Public License v3.0
435
stars
112
forks
source link
[security] parse quoted strings for possible commands #147, #148, #149 #153
Both issues #148 and #147 use the same vulnerability in the parser,
that ignored the quoted strings. Parsing only the rest of the line
for security issues. This is a major security bug.
This commits also corrects a previous ommited correction regarding the
control charaters, that permitted to escape from lshell.
Thank you Proskurin Kirill (@Oloremo) and Vladislav Yarmak (@Snawoot)
for reporting this!!
Closes #148, Closes #147, Closes #149)
Both issues #148 and #147 use the same vulnerability in the parser, that ignored the quoted strings. Parsing only the rest of the line for security issues. This is a major security bug.
This commits also corrects a previous ommited correction regarding the control charaters, that permitted to escape from lshell.
Thank you Proskurin Kirill (@Oloremo) and Vladislav Yarmak (@Snawoot) for reporting this!!