Open ExcaliburZero opened 7 years ago
Currently PiCAST is vulnerable to arbitrary command execution due to the fact that it uses the command line to play videos.
Here is an example of an input that would cause unintended command execution:
localhost:3000/yt-stream/$(zenity --info --text "Arbitrary Command")
In order to fix this, you may want to add a way of making sure that the youtube video id is valid and does not contain $(SOME_COMMAND).
$(SOME_COMMAND)
Currently PiCAST is vulnerable to arbitrary command execution due to the fact that it uses the command line to play videos.
Here is an example of an input that would cause unintended command execution:
In order to fix this, you may want to add a way of making sure that the youtube video id is valid and does not contain
$(SOME_COMMAND)
.