Anchoring

For better security out of the box, always perform exact matching unless
a more lenient pattern is explicitly provided by the administrator.

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>

authorized-exec.pl

@@ -40,7 +40,7 @@ if ($ssh_cmd) {
 	exit 1
 }
 
-my %cmds = map { qr{$_} => 1 } @{$config{$user}};
+my %cmds = map { qr/^$_$/ => 1 } @{$config{$user}};
 
 if ( any { $cmd =~ $_ } keys %cmds ) {
 	exec $cmd;

authorized-exec.spec

@@ -18,7 +18,7 @@
 
 
 Name:           authorized-exec
-Version:        1.0
+Version:        1.1
 Release:        0
 Summary:        Health check
 License:        EUPL-1.2

config.example.pl

@@ -1,10 +1,11 @@
+# the patterns are read as regular expressions and anchored with ^ and $ by default
 (
 	'georg' => [
-		'^echo hi$',
-		'^true$',
-		'^printf %s [a-z0-9 ]+$',
+		'echo hi',
+		'true',
+		'printf %s [a-z0-9 ]+',
 	],
 	'root' => [
-		'^ls -a /root$',
+		'ls -a /root',
 	],
 )