[OpenSIPS-Users] Best practices regarding exec module command injection

Erik H erikh998877 at gmail.com
Wed Sep 7 14:39:51 UTC 2022


What are the recommended practices to avoid command injection when
using the exec module with user-defined variables as arguments?

For example, say we have this code:

exec("/home/.../myscript.sh '$tu'")

(or with whatever user-defined value other than $tu we may want to use)

Would this be vulnerable to command injection, or does OpenSIPS
recognize that the quoted "$tu" value should be escaped? If it is
vulnerable, how can we best avoid this? Does it suffice to use
s.escape.common on the value?


More information about the Users mailing list