[CLOSED] Consider re-writing the commotion-service-parser Bash script in another scripting language such as Python and running this script as a low-rights user

[oti-tech]

Issue by areynold Monday Sep 09, 2013 at 20:40 GMT Originally opened as https://github.com/opentechinstitute/luci-commotion-apps/issues/14

---

A large number of dangerous shell functions, complex parsing methods and other risks contribute to this recommendation. This should also be considered high-risk code, as the output from avahi-client is parsed, and such data is shared and broadcast between routers. If a vulnerability is located within this code, it may allow a single attacker or compromised mesh Ad-Hoc network to take control of all the mesh routers.

[oti-tech]

Comment by dismantl Monday Sep 09, 2013 at 23:05 GMT

---

It has been re-written in C, and needs to be packaged and tested on the OpenWRT platform: https://github.com/opentechinstitute/avahi-client/tree/commotion-service-manager

[oti-tech]

Comment by dismantl Friday Dec 27, 2013 at 18:49 GMT

---

This issue is fixed for R1, with the inclusion of the commotion-service-manager