[systemd-devel] systemctl show environment quoting
Lennart Poettering
lennart at poettering.net
Tue Nov 11 07:56:48 PST 2014
On Wed, 29.10.14 09:40, Alexandre Detiste (alexandre.detiste at gmail.com) wrote:
> Hi,
>
> I stumbled on this:
>
> $ systemctl cat cron-crontab-pi-0 | grep Environment
> Environment="A=a a" "MAILTO=system-cron at mailinator.com" "B=b b" "C=c c"
> $ systemctl show cron-crontab-pi-0 -p Environment
> Environment=A=a a MAILTO=system-cron at mailinator.com B=b b C=c c
>
> -> the quotes are gone.
>
> Is this done by design, or a bug in "systemctl show" ?
>
> My simple parser could be abused if someone hid a MAILTO= inside an other env variable.
> https://github.com/systemd-cron/systemd-cron/blob/master/src/bin/mail_on_failure
>
> Here this won't hurt, but this may causes security problems elsewhere.
I made some minimal changes to git now:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=27e9c5af817147ea1c678769e45e83f2e4b4ae96
This tries to improve things a bit, but I figure it might break stuff
for you.
So previously we'd just output the strings as is, separated by
spaces, and suffixed by a single newline. If the string contained
spaces this would create an ambiguigity when trying to parse
this. Now, completely changing the ouput by enclosing everything in ""
and escaping the " to \" inside the strings appears wrong to me, since
it's a major compat break. I hence went the other way, and will now
escape spaces and newlines inside the strings to the usualy C "\x012"
syntax. This means spaces now become \x020. This makes the output
reversible, but of course looks awful if env vars really contain
spaces...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list