51369b610e
When an include is not surrounded by empty lines, its content is inlined on the same line as the adjacent content. That can lead to broken tags and other display issues. This PR fixes all such includes and introduces a validation step that forbids introducing the same problem again.
45 lines
1.2 KiB
Plaintext
45 lines
1.2 KiB
Plaintext
== How to fix it in Paramiko
|
|
|
|
=== Code examples
|
|
|
|
include::../../common/fix/code-rationale.adoc[]
|
|
|
|
In the following example, if the *host* request parameter contains system
|
|
shell control characters, the expected `ping` command behavior will be changed.
|
|
|
|
==== Noncompliant code example
|
|
|
|
[source,python,diff-id=1,diff-type=noncompliant]
|
|
----
|
|
client = SSHClient()
|
|
client.connect("example.org", username=USER, password=PASS)
|
|
client.exec_command(request.args.get("cmd")) # Noncompliant
|
|
----
|
|
|
|
==== Compliant solution
|
|
|
|
[source,python,diff-id=1,diff-type=compliant]
|
|
----
|
|
client = SSHClient()
|
|
client.connect("example.org", username=USER, password=PASS)
|
|
|
|
DIAG_CMD=["/bin/ping -c 1 -- %s", "/bin/host -- %s"]
|
|
cmd = DIAG_CMD[int(request.args.get('cmdId'))]
|
|
cmd = cmd % shlex.quote(request.args.get('host'))
|
|
client.exec_command(cmd)
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/introduction.adoc[]
|
|
|
|
include::../../common/fix/pre-approved-list.adoc[]
|
|
|
|
:sanitizationLib: shlex
|
|
|
|
include::../../common/fix/sanitize-meta-characters.adoc[]
|
|
|
|
In the example compliant code, the `quote` function from the `shlex` is used to
|
|
encode the user-controlled command argument. It escapes argument delimiters
|
|
and shell control characters.
|