Menu

Search

GlobalSCAPE Knowledge Base


After upgrade, Event Rule is adding ^ symbol to custom command


kmarsh
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, v7.4.11 and later

SYMPTOM

Upon upgrades to 7.4.11 or later, EFT adds a ^ (caret) to any parameters being passed in Custom Commands.

CAUSE

EFT adds the ^ to avoid arbitrary code execution.

MORE INFORMATION

File names passed in a Custom Command are not encapsulated in quotation marks unless there is a space in the filename. This lack of quotation marks could allow users to have control over the file name. Not all special characters can be disallowed by EFT; Therefore, a user could upload a filename that could execute commands. File names and paths, when passed to Custom Commands as parameters should always be encapsulated in quotes to avoid any arbitrary remote code execution.

After upgrading to 7.4.11 or later, EFT encloses file names and parameters with carets and quotation marks. You can see results, including errors, in the command log file, C:\ProgramData\Globalscape\EFT Server Enterprise\Logs\cmdout.log. (The cmdout.log file is only created when you run an Event Rule that uses the Execute Command in folder Action.)

You can read more about command line arguments with quotation marks vs carets in the Microsoft MSDN blog: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/

"While the [quotation mark] cannot fully protect metacharacters in our command lines against unintended shell interpretation, the ^ [caret] metacharacter can. When cmd transforms a command line and sees a ^, it ignores the ^ character itself and copies the next character to the new command line literally, metacharacter or not. That's why ^ works as the line continuation character: it tells cmd to copy a subsequent newline as itself instead of regarding that newline as a command terminator. If we prefix with ^ every metacharacter in an argument string, cmd will transform that string into the one we mean to use."


Also In This Category


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Comments require login or registration.

Details
Last Modified: 2 Months Ago
Last Modified By: kmarsh
Type: INFO
Article not rated yet.
Article has been viewed 171 times.
Options