[Devel] exec_dset with params in URI broken

T.R. Missner trmissner at bandwidth.com
Wed Aug 2 05:02:16 CEST 2006


Today I stumbled upon an issue while using exec_dset.

If the R-URI has a parameter in it like the following:

sip:+12125551212 at;dt=180 SIP/2.0

When exec_dset sends the R-URI as a command line param to the command
specified when called like:
popen is used to exec a new shell passing 
"/usr/local/bin/dostuff.pl sip:+12125551212 at;dt=180 SIP/2.0" as
the command
The ; in the RURI is interpreted by the shell as the end of the
This causes the dt=180 portion of the R-URI to passed directly to the
shell causing an error.
It seems this problem could be exploited by an enterprising hacker.

A solution would be to check the param string for semi-colons and if
found escape them with a backslash ( \ ).

I am working on this code now.

Is this a known issue? 

Is there a better solution?


More information about the Devel mailing list