[OpenSIPS-Users] Best practices regarding exec module command injection
erikh998877 at gmail.com
Wed Sep 7 14:39:51 UTC 2022
What are the recommended practices to avoid command injection when
using the exec module with user-defined variables as arguments?
For example, say we have this code:
(or with whatever user-defined value other than $tu we may want to use)
Would this be vulnerable to command injection, or does OpenSIPS
recognize that the quoted "$tu" value should be escaped? If it is
vulnerable, how can we best avoid this? Does it suffice to use
s.escape.common on the value?
More information about the Users