D15883: [Android] Support args for running commands
Simon Redman
noreply at phabricator.kde.org
Tue Oct 2 17:24:16 BST 2018
sredman added a comment.
In D15883#335386 <https://phabricator.kde.org/D15883#335386>, @nicolasfella wrote:
> In D15883#334966 <https://phabricator.kde.org/D15883#334966>, @apol wrote:
>
> > What's the use-case?
>
>
> It's useful when you have commands that you run often, but with varying parameters. Like "sudo pacman -S $packet". I don't know why you would want to install packets from the phone, but there are other commands where this will be more useful
There is a problem with injection-type attacks
For instance, I have created the command: "touch %1" (just to test)
I can run the command with the argument "/tmp/test" and I see the file /tmp/test -- Good!
I can then run the command with the argument "/tmp/test2; rm /tmp/test". I see the file /tmp/test2, but /tmp/test has been deleted -- Not good!
In case the point isn't clear, this allows arbitrary command execution from a compromised handset by sticking whatever you want into a command argument. Of course, any checking should be on the desktop side.
REPOSITORY
R225 KDE Connect - Android application
REVISION DETAIL
https://phabricator.kde.org/D15883
To: nicolasfella, #kde_connect
Cc: sredman, apol, kdeconnect, wistak, dvalencia, rmenezes, julioc, Leptopoda, timothyc, jdvr, yannux, Danial0_0, johnq, Pitel, adeen-s, SemperPeritus, ndavis, daniel.z.tg, jeanv, seebauer, bugzy, MayeulC, menasshock, tctara
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kdeconnect/attachments/20181002/0f691219/attachment.html>
More information about the KDEConnect
mailing list