[Users] Re: [Devel] exec_dset with params in URI broken

[Klaus Darilion]

T.R. Missner wrote:
> Hello,
> 
> Today I stumbled upon an issue while using exec_dset.
> 
> If the R-URI has a parameter in it like the following:
> 
> sip:+12125551212 at 208.1.1.1;dt=180 SIP/2.0
> 
> When exec_dset sends the R-URI as a command line param to the command
> specified when called like:
> exec_dset("/usr/local/bin/dostuff.pl");
> popen is used to exec a new shell passing 
> "/usr/local/bin/dostuff.pl sip:+12125551212 at 208.1.1.1;dt=180 SIP/2.0" as
> the command
> The ; in the RURI is interpreted by the shell as the end of the
> parameter.
> This causes the dt=180 portion of the R-URI to passed directly to the
> shell causing an error.
> It seems this problem could be exploited by an enterprising hacker.
> 
> A solution would be to check the param string for semi-colons and if
> found escape them with a backslash ( \ ).
> 
> I am working on this code now.
> 
> Is this a known issue? 
> 
> Is there a better solution?

Probably the best solution would be to avoid exec at all. I managed to 
got rid of all execs by using avp_db_load.

regards
klaus