Fixed
Details
Assignee
Adam PodogrockiAdam PodogrockiReporter
Kristian AmlieKristian AmlieLabels
Story Points
5Priority
(None)Sprint
NoneBacklog
yes
Details
Details
Assignee
Adam Podogrocki
Adam PodogrockiReporter
Kristian Amlie
Kristian AmlieLabels
Story Points
5
Priority
Sprint
None
Backlog
yes
Zendesk Support
Zendesk Support
Zendesk Support
Checklist
Checklist
Checklist
Created January 14, 2019 at 7:46 AM
Updated June 25, 2024 at 11:55 AM
Resolved January 24, 2019 at 11:02 AM
Acceptance criteria:
Make sure that when reading artifact v3 files in the payload section, no characters besides letters, digits and characters in the set ".,_-" are allowed.
A test which tries to read a crafted artifact that has a disallowed character
If MEN-2309 is already done, make sure deployments service has its mender-artifact vendor dependency updated to include this change
The primary motivation for doing this is to prevent shell evaluation attacks in update modules using files with specially crafted names (such as wildcards or spaces). The effect of this would be similar to the Shell Shock security vulnerability.
We cannot do this task after v3 is released, since constraining the filename validity would break existing artifacts.