Project

General

Profile

Actions

Bug #13299

closed

Cron package needs basic input validation and output encoding

Added by Jim Pingle over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Cron
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:
All

Description

The cron package does not validate its inputs nor does it encode its output. This can lead to a potential stored XSS.

The time-based fields can be validated against a basic regex to ensure they are the correct form (e.g. "1", "1,2", "*", "*/1", "1-3", etc).

The user field can be validated against the operating system.

The command field cannot be validated as it could be a single command with unknown parameters or even multiple commands using pipes, redirection, etc.

This is not a critical security issue as anyone with access to the Cron package can already run any command as any OS user, so they gain nothing by taking advantage of this.

Actions #1

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Christopher Cope over 2 years ago

  • Status changed from Feedback to Resolved

Tested and working as expected on

2.6.0-RELEASE (amd64)
built on Mon Jan 31 19:57:53 UTC 2022
FreeBSD 12.3-STABLE

Cron 0.3.8

Marking resolved.

Actions

Also available in: Atom PDF