Project

General

Profile

Actions
Copy link

Bug #13299

closed

Cron package needs basic input validation and output encoding

Added by Jim Pingle almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
Cron
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

The cron package does not validate its inputs nor does it encode its output. This can lead to a potential stored XSS.

The time-based fields can be validated against a basic regex to ensure they are the correct form (e.g. "1", "1,2", "*", "*/1", "1-3", etc).

The user field can be validated against the operating system.

The command field cannot be validated as it could be a single command with unknown parameters or even multiple commands using pipes, redirection, etc.

This is not a critical security issue as anyone with access to the Cron package can already run any command as any OS user, so they gain nothing by taking advantage of this.

Actions
Copy link
 #1

Updated by Jim Pingle almost 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Christopher Cope almost 2 years ago

  • Status changed from Feedback to Resolved

Tested and working as expected on

2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

Cron 0.3.8

Marking resolved.

Actions
Copy link

Also available in: Atom PDF