Hello and thank you for creating this invaluable project.
I think it would be better if the runCommand method accepted an array of parameters, instead of a parameter string.
-
Currently, it is not possible to pass arguments to OpenSSL containing spaces, or empty arguments. The minimalistic splitting code used by openssl.js splits only by continuous runs of whitespace.
-
Careless users of openssl.js may not sanitize input, thus allowing injection of arbitrary OpenSSL arguments. This might lead to security problems.
The parameter I encountered this with was the -challenge option for openssl spkac, when implementing a polyfill for the deprecated <keygen> tag. <keygen> has a challenge attribute which should be passed to this option, so the library should be able to pass any string that can occur in a DOM attribute node.
Hello and thank you for creating this invaluable project.
I think it would be better if the
runCommandmethod accepted an array of parameters, instead of a parameter string.Currently, it is not possible to pass arguments to OpenSSL containing spaces, or empty arguments. The minimalistic splitting code used by openssl.js splits only by continuous runs of whitespace.
Careless users of openssl.js may not sanitize input, thus allowing injection of arbitrary OpenSSL arguments. This might lead to security problems.
The parameter I encountered this with was the
-challengeoption foropenssl spkac, when implementing a polyfill for the deprecated<keygen>tag.<keygen>has achallengeattribute which should be passed to this option, so the library should be able to pass any string that can occur in a DOM attribute node.