Todo #12265: Improve uses of ``grep`` which utilize user-supplied patterns - pfSense - pfSense bugtracker

Actions

Todo #12265

closed

Improve uses of ``grep`` which utilize user-supplied patterns

Added by Jim Pingle about 4 years ago. Updated over 3 years ago.

Status:

Resolved

Priority:

High

Assignee:

Category:

Operating System

Target version:

Start date:

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

22.01

Release Notes:

Default

Description

See #12257 and 57a737f1 for examples

A few things to watch out for:

Patterns passed to grep based on user-controlled input that should be sanitized.
Dangerous patterns such as back references (e.g. \1) or group repetition (a)* which are unlikely to be used legitimately and are known sources of problems in grep, leading to a potential DoS due to CPU exhaustion.
Patterns passed to grep which could start with a - and be misinterpreted as grep command line parameters, leading to problems like other files being read that shouldn't be. Can be worked around by placing the pattern after -- e.g. grep -- <pattern>.

Examples of mitigation are in 57a737f1

Actions

Also available in: Atom PDF