Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-06 06:10:54 +03:00
Code Issues Packages Projects Releases Wiki Activity

command actions: restrict passing env vars

Browse Source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2025-01-13 20:02:34 +01:00
parent 04fa242f57
commit e8c5f8ed81
3 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/common/eventmanager.go
View File

@@ -1524,7 +1524,7 @@ func executeCommandRuleAction(c dataprovider.EventActionCommandConfig, params *E
cmd := exec.CommandContext(ctx, c.Cmd, args...)
cmd.Env = []string{}
for _, keyVal := range c.EnvVars {
if keyVal.Value == "$" {
if keyVal.Value == "$" && !strings.HasPrefix(strings.ToUpper(keyVal.Key), "SFTPGO_") {
val := os.Getenv(keyVal.Key)
if val == "" {
eventManagerLog(logger.LevelDebug, "empty value for environment variable %q", keyVal.Key)

2
static/locales/en/translation.json
View File

@@ -1008,7 +1008,7 @@
"command_help": "Absolute path of the command to execute",
"command_args": "Arguments",
"command_args_help": "Comma separated command arguments. Placeholders are supported",
"command_env_vars_help": "Placeholders are supported in values. Setting the name to \"$\" without quotes means retrieving the value from the environment",
"command_env_vars_help": "Placeholders are supported in values. Setting the value to \"$\" without quotes means retrieving the key from the environment excluding keys starting with SFTPGO_",
"email_recipients": "To",
"email_recipients_help": "Comma separated recipients. Placeholders are supported",
"email_bcc": "Bcc",

2
static/locales/it/translation.json
View File

@@ -1008,7 +1008,7 @@
"command_help": "Percorso assoluto del comando da eseguire",
"command_args": "Argomenti",
"command_args_help": "Argomenti del comando separati da virgole. I segnaposto sono supportati",
"command_env_vars_help": "I segnaposto sono supportati nei valori. Impostare il nome su \"$\" senza virgolette significa recuperare il valore dall'ambiente",
"command_env_vars_help": "I segnaposto sono supportati nei valori. Impostare il valore su \"$\" senza virgolette significa recuperare il nome dall'ambiente ad esclusione dei nomi che iniziano con SFTPGO_",
"email_recipients": "A",
"email_recipients_help": "Destinatari separati da virgole. I segnaposto sono supportati",
"email_bcc": "Ccn",