Bug 958733

Summary: plexus-utils: suspicious shell quoting in org.codehaus.plexus.util.cli
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: plexus-utilsAssignee: Mikolaj Izdebski <mizdebsk>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: charles, fnasser, java-sig-commits, krosenvold, mizdebsk
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://jira.codehaus.org/browse/PLXUTILS-161
Whiteboard:
Fixed In Version: 3.0.16-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1009412 (view as bug list) Environment:
Last Closed: 2014-01-27 14:04:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 958220, 1009412, 1532497    

Description Florian Weimer 2013-05-02 10:13:30 UTC 
The shell quoting logic in this package (and the org.codehaus.plexus.util.cli.shell) package looks fairly dangerous.  It appears to be mostly dead code.  Client code should be migrated to java.lang.ProcessBuilder.

The different quoting options (single quotes, double quotes) are difficult to get right, and the reference to StringUtils is not particularly helpful because the caller has to provide the correct set of characters to be escaped, which is platform-dependent.
Comment 1 Mikolaj Izdebski 2013-05-06 07:30:59 UTC 
plexus-utils package is widely used (required by 96 packages in Fedora and it is the most often downloaded artifact on Maven Central [1]), so changing the API or migrating dependant packages to use standard JDK API would be difficult or impossible.

If I remember correctly the shell quoting code is indirectly used by maven-scm and maven-wagon.  Migration to ProcessBuilder is impossible (or at least not always possible) because the shell code needs to be executed on remote hosts (eg. over SSH) which is beyond capabilities of ProcessBuilder.

In my opinion the shell quoting and escaping code should be fixed to conform to appropriate standards, like [2].

[1] http://search.maven.org/#stats
[2] http://pubs.opengroup.org/onlinepubs/7908799/xcu/chap2.html
Comment 2 Mikolaj Izdebski 2013-09-27 17:52:43 UTC 
Related to upstream bug PLXUTILS-161
Comment 3 Kristian Rosenvold 2013-09-27 20:11:36 UTC 
I am one of the current maintainers of the plexus code in question. 

Plexus-utils is mostly used within maven, which (like all the build systems for java) is not a "safe" execution environment; if someone wants to inject an "rm -rf /*" into your build system there's probably thousands of different attack vectors to achieve this. This applies to all modern java build systems and is not a particular maven problem.

I am mostly trying to establish the actual severity of this issue;
we will gladly accept patches that update the correctness of the quoting algorithms (or if you can explain it to thickheads like me, I'll even fix it myself!). The code we're talking about here is ancient (and none of my doing) and just understanding the problem/consequences is hard enough.
Comment 4 Charles Duffy 2013-09-28 19:20:19 UTC 
A patch correcting the quoting algorithm (and avoiding its use where possible) has been attached to PLXUTILS-161.
Comment 5 Fedora End Of Life 2013-12-21 15:30:26 UTC 
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '18'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 18's end of life.

Thank you for reporting this issue and we are sorry that we may not be 
able to fix it before Fedora 18 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior to Fedora 18's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 6 Mikolaj Izdebski 2014-01-27 13:53:14 UTC 
Fixed in plexus-utils-3.0.16-1
Comment 7 Mikolaj Izdebski 2014-01-27 14:04:45 UTC 
I believe that this bug is fixed in plexus-utils-3.0.16-1,
which is available in Fedora Rawhide, so I am closing this bug now.

The build containing the fix can be found at Koji:
http://koji.fedoraproject.org/koji/buildinfo?buildID=494089

This bug was fixed in the next release of Fedora, and is not planned
to be fixed in the release it was filed against.  If you want this bug
to be fixed in updates for Fedora 18, please say so in a comment.
Otherwise you can update to the newer release of Fedora to get the fix.