Monit: support quotes in passwords #7156
Conversation
|
And if it has both? ;) |
|
Then we could encode it. |
|
Highly unlikely but could happen. However I think it's better than the case before, where we don't handle double quotes. I had rough couple of hours trying to figure out why my monit setup don't send anything out then I discovered my password contains some quotes and it broke monit config. However if I was informed or got prevented from saving that password in the web page setup form, none of this would've happened. |
|
I want to be very honest: security "researchers" don't give a damn about probability and this is clearly problematic from a technical point of view. Touch this once and fix all the issues is the best approach or else you will end up spending more time and more time again and processing a CVE eventually... That being said single and double quotes have different escaping rules. In the shell you can use different quotes to write problematic quotes. I don't know how this works for monit but I also don't want to investigate.
Cheers, |
|
@fichtner But monit doesn't use shell to parse? Maybe I'm missing the point. But if you can make it work, that would be awesome. Good luck! |
|
I'm only explaining my point because the approach so far is not cutting it. |
|
Ok, then, to be on the safe site, we have to encode all charachters. |
AdSchellevis
force-pushed
the
master
branch
3 times, most recently
from
78845fc
to
8ba454a
Compare
Passwords containing single quotes must be bounded by double quotes and vice versa.
So passwords with double quotes needs to be bounded by single quotes.
See #6748