Ciao Roberto,
On 12/28/18 5:20 AM, Roberto C. Sánchez wrote:
> Hi Tomas,
>
> On Mon, Dec 24, 2018 at 08:47:55PM +0000, Tomas Bortoli wrote:
>>Hi Robert,
>>
>>Your patch seems not to be definitive against CVE-2018-19518.
>>This because checking for spac
Hi Roberto,
On 12/24/18 10:40 PM, Roberto C. Sánchez wrote:
> There are two command templates involved in this section of code:
> rshcommand and sshcommand. The two for loops each operate on a
> different command template.
Ah ahn.. I missed that single byte difference, thanks.
> Yes, the descri
Hi Robert,
Your patch seems not to be definitive against CVE-2018-19518.
This because checking for spaces won't be enough if an attacker uses some "bash
trick" to get a space...
In fact you can get a space by not typing it, with something like this:
a=`date`;echo${a:3:1}asd
Will print "asd".. it
