[fix] be paranoid and prevent shell injections here also while input is supposed to be safe

This commit is contained in:
Laurent Peuch 2017-08-18 02:35:08 +02:00
parent c8c7fe7fc7
commit d440d06ae7

View file

@ -81,7 +81,7 @@ function hmac_sha512(key, message)
-- this is really dirty and probably leak the key and the message in the process list -- this is really dirty and probably leak the key and the message in the process list
-- but if someone got there I guess we really have other problems so this is acceptable -- but if someone got there I guess we really have other problems so this is acceptable
-- and also this is way better than the previous situation -- and also this is way better than the previous situation
local pipe = io.popen("echo -n '" ..message.. "' | openssl sha512 -hmac '" ..key.. "'") local pipe = io.popen("echo -n '" ..message:gsub("'", "'\\''").. "' | openssl sha512 -hmac '" ..key:gsub("'", "'\\''").. "'")
-- openssl returns something like this: -- openssl returns something like this:
-- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key" -- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key"