mininet
Fix #850, prevent code execution on node init
I don't think this fixes the issue, since you could just put a quote in the string.
The way cmd works is it passes strings to the shell which executes them. I don't think it's feasible to sanitize all input strings, though we could (and perhaps should) switch to using pexec.
I also still don't understand the underlying threat model that this is attempting to mitigate.
I don't think this fixes the issue, since you could just put a quote in the string.
Yes, you are right, i wasn't thinking this through...
The way
cmdworks is it passes strings to the shell which executes them. I don't think it's feasible to sanitize all input strings, though we could (and perhaps should) switch to usingpexec.
which pexec do you mean specifically?
I also still don't understand the underlying threat model that this is attempting to mitigate.
neither do i, just wanted to close some issues:D
ah: this doesn't work with python2, how important is still having python2 support for the project?
Working with python 2 is important. If we break backward compatibility in a big way that would probably need to be in a 3.x version of mininet.
I think the right way to fix this for the current version is to use host.pexec - then it doesn't go through the shell.
However, as I noted, I still don't understand the threat model this is attempting to mitigate.
Probably we also want to switch to using netcat as you suggested in #1103.
okay then let's postpone this (as i don't think it's that important anyway) for a future release. should i close it?