[OpenSIPS-Users] Best practices regarding exec module command injection
Erik H
erikh998877 at gmail.com
Wed Sep 7 14:39:51 UTC 2022
Hi!
What are the recommended practices to avoid command injection when
using the exec module with user-defined variables as arguments?
For example, say we have this code:
exec("/home/.../myscript.sh '$tu'")
(or with whatever user-defined value other than $tu we may want to use)
Would this be vulnerable to command injection, or does OpenSIPS
recognize that the quoted "$tu" value should be escaped? If it is
vulnerable, how can we best avoid this? Does it suffice to use
s.escape.common on the value?
Regards,
Erik
More information about the Users
mailing list