THE INFORMATION IN THIS ARTICLE APPLIES TO:
Upon upgrades to 7.4.11 or later, EFT adds a ^ (caret) to any parameters being passed in Custom Commands.
EFT adds the ^ to avoid arbitrary code execution.
File names passed in a Custom Command are not encapsulated in quotation marks unless there is a space in the filename. This lack of quotation marks could allow users to have control over the file name. Not all special characters can be disallowed by EFT; Therefore, a user could upload a filename that could execute commands. File names and paths, when passed to Custom Commands as parameters should always be encapsulated in quotes to avoid any arbitrary remote code execution.
After upgrading to 7.4.11 or later, EFT encloses file names and parameters with carets and quotation marks. You can see results, including errors, in the command log file, C:\ProgramData\Globalscape\EFT Server Enterprise\Logs\cmdout.log. (The cmdout.log file is only created when you run an Event Rule that uses the Execute Command in folder Action.)
You can read more about command line arguments with quotation marks vs carets in the Microsoft MSDN blog:
"While the [quotation mark] cannot fully protect metacharacters in our command lines against unintended shell interpretation, the ^ [caret] metacharacter can. When cmd transforms a command line and sees a ^, it ignores the ^ character itself and copies the next character to the new command line literally, metacharacter or not. That's why ^ works as the line continuation character: it tells cmd to copy a subsequent newline as itself instead of regarding that newline as a command terminator. If we prefix with ^ every metacharacter in an argument string, cmd will transform that string into the one we mean to use."
Optionally provide private feedback to help us improve this article...
Thank you for your feedback!