Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-06 14:20:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

command actions: restrict passing env vars

Browse Source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2025-01-13 20:02:34 +01:00
parent b347ab6051
commit 631efc2b00
3 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/common/eventmanager.go
View File

@@ -1519,7 +1519,7 @@ func executeCommandRuleAction(c dataprovider.EventActionCommandConfig, params *E
cmd := exec.CommandContext(ctx, c.Cmd, args...) cmd := exec.CommandContext(ctx, c.Cmd, args...)
cmd.Env = []string{} cmd.Env = []string{}
for _, keyVal := range c.EnvVars { for _, keyVal := range c.EnvVars {
if keyVal.Value == "$" { if keyVal.Value == "$" && !strings.HasPrefix(strings.ToUpper(keyVal.Key), "SFTPGO_") {
val := os.Getenv(keyVal.Key) val := os.Getenv(keyVal.Key)
if val == "" { if val == "" {
eventManagerLog(logger.LevelDebug, "empty value for environment variable %q", keyVal.Key) eventManagerLog(logger.LevelDebug, "empty value for environment variable %q", keyVal.Key)

2
static/locales/en/translation.json
View File

@@ -977,7 +977,7 @@
"command_help": "Absolute path of the command to execute", "command_help": "Absolute path of the command to execute",
"command_args": "Arguments", "command_args": "Arguments",
"command_args_help": "Comma separated command arguments. Placeholders are supported", "command_args_help": "Comma separated command arguments. Placeholders are supported",
"command_env_vars_help": "Placeholders are supported in values. Setting the name to \"$\" without quotes means retrieving the value from the environment", "command_env_vars_help": "Placeholders are supported in values. Setting the value to \"$\" without quotes means retrieving the key from the environment excluding keys starting with SFTPGO_",
"email_recipients": "To", "email_recipients": "To",
"email_recipients_help": "Comma separated recipients. Placeholders are supported", "email_recipients_help": "Comma separated recipients. Placeholders are supported",
"email_bcc": "Bcc", "email_bcc": "Bcc",

2
static/locales/it/translation.json
View File

@@ -977,7 +977,7 @@
"command_help": "Percorso assoluto del comando da eseguire", "command_help": "Percorso assoluto del comando da eseguire",
"command_args": "Argomenti", "command_args": "Argomenti",
"command_args_help": "Argomenti del comando separati da virgole. I segnaposto sono supportati", "command_args_help": "Argomenti del comando separati da virgole. I segnaposto sono supportati",
"command_env_vars_help": "I segnaposto sono supportati nei valori. Impostare il nome su \"$\" senza virgolette significa recuperare il valore dall'ambiente", "command_env_vars_help": "I segnaposto sono supportati nei valori. Impostare il valore su \"$\" senza virgolette significa recuperare il nome dall'ambiente ad esclusione dei nomi che iniziano con SFTPGO_",
"email_recipients": "A", "email_recipients": "A",
"email_recipients_help": "Destinatari separati da virgole. I segnaposto sono supportati", "email_recipients_help": "Destinatari separati da virgole. I segnaposto sono supportati",
"email_bcc": "Ccn", "email_bcc": "Ccn",