Change UNIX code to use execv instead of popen to prevent CWE-77

ibm-messaging / mq-exits

A collection of sample IBM MQ exits

Apache License 2.0

8 stars 8 forks source link

Change UNIX code to use execv instead of popen to prevent CWE-77 #3

Closed parrobe closed 3 years ago

parrobe commented 3 years ago

Fixes issue #2 I refactored the code to use execv instead of popen to call amqoampx in the UNIX code of validateCredentialsfunction. This mean instead of echoing a string passed by an applicaton (which could be escaped) the userid is passed as a direct paramter during the execv call and then the password is written to that new process via STDIN.

parrobe commented 3 years ago

A simple test of this: run amqsputc with a userid and for the password pass: " && endmqm QM1 && echo "a On the old version if QM1 was the name of your queuemanager it would quiese it. On the new version it doesn not. Same for the Userid.