Cron package needs basic input validation and output encoding
Plus Target Version:
Affected Plus Version:
The cron package does not validate its inputs nor does it encode its output. This can lead to a potential stored XSS.
The time-based fields can be validated against a basic regex to ensure they are the correct form (e.g. "1", "1,2", "*", "*/1", "1-3", etc).
The user field can be validated against the operating system.
The command field cannot be validated as it could be a single command with unknown parameters or even multiple commands using pipes, redirection, etc.
This is not a critical security issue as anyone with access to the Cron package can already run any command as any OS user, so they gain nothing by taking advantage of this.
Updated by Jim Pingle 9 months ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Updated by Christopher Cope 9 months ago
- Status changed from Feedback to Resolved
Tested and working as expected on
2.6.0-RELEASE (amd64) built on Mon Jan 31 19:57:53 UTC 2022 FreeBSD 12.3-STABLE Cron 0.3.8