Those parameters eventually may eventually be passed to a shell script (at least /usr/lib/qubes/qubes-rpc-multiplexer). While it is possible to properly escape shell special characters, lets do safer and less fragile thing: forbid such characters entirely. In case of target name, qrexec policy keywords are allowed, and after recent change, those contains '@', so allow this char. (cherry picked from commit cf28dad1943bd424b2ed23000cdcfd32d8e3190c)pull/39/head
parent
e6d8b52197
commit
f481671782
Loading…
Reference in new issue