There is a  bug can run any command on linux when use opentsdb ui 

if there is a wrong parameter such like "wxh=1900x770`ls /home/`" it will cause an "IllegalArgumentException",And then be  process with "badRequest"  , because this response with "PNG" , the wrong parameter will be worte to a script ,add run&#12290;

there is a sample way to fix it temporarily
`---a/expand/opentsdb/src/tsd/HttpQuery.java
+++ b/expand/opentsdb/src/tsd/HttpQuery.java
@@ -421,8 +421,8 @@ final class HttpQuery extends AbstractHttpQuery {
       HttpQuery.escapeJson(exception.getMessage(), buf);
       buf.append("\"}");
       sendReply(HttpResponseStatus.BAD_REQUEST, buf);
-    } else if (hasQueryStringParam("png")) {
-      sendAsPNG(HttpResponseStatus.BAD_REQUEST, exception.getMessage(), 3600);
-    //} else if (hasQueryStringParam("png")) {
-      //sendAsPNG(HttpResponseStatus.BAD_REQUEST, exception.getMessage(), 3600);
   } else {
     sendReply(HttpResponseStatus.BAD_REQUEST,
               makePage("Bad Request", "Looks like it's your fault this time",` 


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

There is a bug can run any command on linux when use opentsdb ui #793

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

There is a bug can run any command on linux when use opentsdb ui #793

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions