[PR #613] [MERGED] Fix improper quoting of arguments #3684

New issue

Closed

opened 2026-05-05 10:05:59 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:05:59 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/613
Author: @manevich
Created: 7/4/2016
Status: ✅ Merged
Merged: 7/5/2016
Merged by: @netblue30

Base: master ← Head: manevich-fix-quoting-1

📝 Commits (2)

cbdf71a Fix improper quoting of arguments
d578c4c Fix improper quoting of arguments

📊 Changes

2 files changed (+3 additions, -3 deletions)

View changed files

📝 src/firejail/join.c (+2 -2)
📝 src/firejail/main.c (+1 -1)

📄 Description

Using double quote instead of single quote for cfg.command_line allows arbitrary command execution inside of jail if command args (eg. filenames) contain special sequences (backtick, $(), etc).

How to reproduce:
touch 'uname -a'
touch '$(cal)'
in same directory:
firejail cat *uname*
command uname -a will be executed in jail
firejail cat *cal*
command cal will be executed in jail.

This hopefully fixes it.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/613 **Author:** [@manevich](https://github.com/manevich) **Created:** 7/4/2016 **Status:** ✅ Merged **Merged:** 7/5/2016 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `manevich-fix-quoting-1` --- ### 📝 Commits (2) - [`cbdf71a`](https://github.com/netblue30/firejail/commit/cbdf71ac12dcc26f3135fde94f51cc6bd5f38a29) Fix improper quoting of arguments - [`d578c4c`](https://github.com/netblue30/firejail/commit/d578c4c6cfaeb7eb4c9174d7ec52d509cc3ec04f) Fix improper quoting of arguments ### 📊 Changes **2 files changed** (+3 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/join.c` (+2 -2) 📝 `src/firejail/main.c` (+1 -1) </details> ### 📄 Description Using double quote instead of single quote for `cfg.command_line` allows arbitrary command execution inside of jail if command args (eg. filenames) contain special sequences (backtick, $(), etc). How to reproduce: `touch '`uname -a`'` `touch '$(cal)'` in same directory: `firejail cat *uname*` command `uname -a` will be executed in jail `firejail cat *cal*` command `cal` will be executed in jail. This hopefully fixes it. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:05:59 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3684

No description provided.

Rows
Columns