Description of problem: even if you surround args with quotes, eg: "$@" Maybe never version has it fixed. Version-Release number of selected component (if applicable): incron-0.5.10-8.el7.x86_64 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Well, there's not a newer version that I am aware of... but I will try and take a look and see what I can do when I get some time.
would these be only rpm build version? rhel 0.5.10; fedora 0.5.12
Oh yeah, I forgot they moved to github for .11 and .12. you are quite right. Can you try this scratch build and see if it solves your issue? https://koji.fedoraproject.org/koji/taskinfo?taskID=27191722
Spaces are the least of your worries. https://github.com/ar-/incron/issues/35
The EPEL package should warn admins that wildcard filenames should NOT be used unless the user and the process by which the filenames are created are fully trusted.
Well, it's running arbitrary commands as root (or a user), I would think it would go without saying that you need to be carefull generating it's configuration. Where would such a warning go?
(In reply to Kevin Fenzi from comment #6) > Well, it's running arbitrary commands as root (or a user), I would think it > would go without saying that you need to be carefull generating it's > configuration. The problem is, it doesn't run the commands in the incrontab, but commands embedded in filenames. (When using wildcard patterns.) > > Where would such a warning go? For the acme-tiny package (which recommends incron), I put it in a README in %doc along with tips for configuring it to kick sendmail, httpd, when certs are updated. The best way to avoid the risk is to not use wildcard patterns. They are no longer safe since incron took the ill advised and incompatible step (with 0.5.11 or 0.5.12) of running a shell command to parse arbitrary filenames (i.e. untrusted strings in most cases). Note that quoting '$@' does no good, for filenames can contain quotes as well. And backslashes.
I just checked GetSafePath on 0.5.12, and it is only escaping space and backslash. If it escaped all shell metachars like bash tab completion does, then it would be a little less dangerous. As it is, people often have special chars in filenames, and an incrontab watching a directory with, say, album tracks could accidentally do something nasty with song names often containing quotes, semi-colons, ampersand, etc. If I get a chance, I'll lookup the bash tab completion code to get the list of chars that need to be escaped, and offer a patch. Then Fedora can include the patch even if upstream never gets around to it. (It's been years.)
This discussion suggests that if GetSafePath would just escape single quote, you can put the incron path variable in single quotes: https://stackoverflow.com/questions/15783701/which-characters-need-to-be-escaped-when-using-bash The second suggestion in the above was to escape everything not in the easy safe set of [a-zA-Z0-9,._+:@%/-] So I should be able to come up with a patch.
Control chars (also allowed in filenames) also require special treatment. Patch delayed for further research. Is there a simple way to go back to using execvp like 0.5.10 for the Fedora package?