mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
[fix] be paranoid and prevent shell injections here also while input is supposed to be safe
This commit is contained in:
parent
c8c7fe7fc7
commit
d440d06ae7
1 changed files with 1 additions and 1 deletions
|
@ -81,7 +81,7 @@ function hmac_sha512(key, message)
|
||||||
-- this is really dirty and probably leak the key and the message in the process list
|
-- this is really dirty and probably leak the key and the message in the process list
|
||||||
-- but if someone got there I guess we really have other problems so this is acceptable
|
-- but if someone got there I guess we really have other problems so this is acceptable
|
||||||
-- and also this is way better than the previous situation
|
-- and also this is way better than the previous situation
|
||||||
local pipe = io.popen("echo -n '" ..message.. "' | openssl sha512 -hmac '" ..key.. "'")
|
local pipe = io.popen("echo -n '" ..message:gsub("'", "'\\''").. "' | openssl sha512 -hmac '" ..key:gsub("'", "'\\''").. "'")
|
||||||
|
|
||||||
-- openssl returns something like this:
|
-- openssl returns something like this:
|
||||||
-- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key"
|
-- root@yunohost:~# echo -n "qsd" | openssl sha512 -hmac "key"
|
||||||
|
|
Loading…
Reference in a new issue