Search

GlobalSCAPE Knowledge Base

After upgrade, Event Rule is adding ^ symbol to custom command

Karla Marsh
EFT

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT, v7.4.11 and later

SYMPTOM

Upon upgrades to 7.4.11 or later, EFT adds a ^ (caret) to any parameters being passed in Custom Commands.

CAUSE

EFT adds the ^ to avoid arbitrary code execution.

MORE INFORMATION

File names passed in a Custom Command are not encapsulated in quotation marks unless there is a space in the filename. This lack of quotation marks could allow users to have control over the file name. Not all special characters can be disallowed by EFT; Therefore, a user could upload a filename that could execute commands. File names and paths, when passed to Custom Commands as parameters should always be encapsulated in quotes to avoid any arbitrary remote code execution.

After upgrading to 7.4.11 or later, EFT encloses file names and parameters with carets and quotation marks. You can see results, including errors, in the command log file, C:\ProgramData\Globalscape\EFT Server Enterprise\Logs\cmdout.log. (The cmdout.log file is only created when you run an Event Rule that uses the Execute Command in folder Action.)

You can read more about command line arguments with quotation marks vs carets in the Microsoft MSDN blog: https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/

"While the [quotation mark] cannot fully protect metacharacters in our command lines against unintended shell interpretation, the ^ [caret] metacharacter can. When cmd transforms a command line and sees a ^, it ignores the ^ character itself and copies the next character to the new command line literally, metacharacter or not. That's why ^ works as the line continuation character: it tells cmd to copy a subsequent newline as itself instead of regarding that newline as a command terminator. If we prefix with ^ every metacharacter in an argument string, cmd will transform that string into the one we mean to use."

Details
Last Modified: 5 Years Ago
Last Modified By: kmarsh
Type: INFO
Article not rated yet.
Article has been viewed 2.6K times.
Options
Also In This Category