[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
emacs-28 e339926272a 4/8: Fix etags local command injection vulnerabilit
From: |
Stefan Kangas |
Subject: |
emacs-28 e339926272a 4/8: Fix etags local command injection vulnerability |
Date: |
Fri, 17 Feb 2023 05:23:14 -0500 (EST) |
branch: emacs-28
commit e339926272a598bd9ee7e02989c1662b89e64cf0
Author: lu4nx <lx@shellcodes.org>
Commit: Stefan Kangas <stefankangas@gmail.com>
Fix etags local command injection vulnerability
* lib-src/etags.c: (escape_shell_arg_string): New function.
(process_file_name): Use it to quote file names passed to the
shell. (Bug#59817)
(cherry picked from commit 01a4035c869b91c153af9a9132c87adb7669ea1c)
---
lib-src/etags.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 58 insertions(+), 5 deletions(-)
diff --git a/lib-src/etags.c b/lib-src/etags.c
index c9c32691016..a6bd7f66e29 100644
--- a/lib-src/etags.c
+++ b/lib-src/etags.c
@@ -408,6 +408,7 @@ static void invalidate_nodes (fdesc *, node **);
static void put_entries (node *);
static void clean_matched_file_tag (char const * const, char const * const);
+static char *escape_shell_arg_string (char *);
static void do_move_file (const char *, const char *);
static char *concat (const char *, const char *, const char *);
static char *skip_spaces (char *);
@@ -1704,13 +1705,16 @@ process_file_name (char *file, language *lang)
else
{
#if MSDOS || defined (DOS_NT)
- char *cmd1 = concat (compr->command, " \"", real_name);
- char *cmd = concat (cmd1, "\" > ", tmp_name);
+ int buf_len = strlen (compr->command) + strlen (" \"\" > \"\"") +
strlen (real_name) + strlen (tmp_name) + 1;
+ char *cmd = xmalloc (buf_len);
+ snprintf (cmd, buf_len, "%s \"%s\" > \"%s\"", compr->command,
real_name, tmp_name);
#else
- char *cmd1 = concat (compr->command, " '", real_name);
- char *cmd = concat (cmd1, "' > ", tmp_name);
+ char *new_real_name = escape_shell_arg_string (real_name);
+ char *new_tmp_name = escape_shell_arg_string (tmp_name);
+ int buf_len = strlen (compr->command) + strlen (" > ") + strlen
(new_real_name) + strlen (new_tmp_name) + 1;
+ char *cmd = xmalloc (buf_len);
+ snprintf (cmd, buf_len, "%s %s > %s", compr->command, new_real_name,
new_tmp_name);
#endif
- free (cmd1);
inf = (system (cmd) == -1
? NULL
: fopen (tmp_name, "r" FOPEN_BINARY));
@@ -7689,6 +7693,55 @@ etags_mktmp (void)
return templt;
}
+/*
+ * Adds single quotes around a string, if found single quotes, escaped it.
+ * Return a newly-allocated string.
+ *
+ * For example:
+ * escape_shell_arg_string("test.txt") => 'test.txt'
+ * escape_shell_arg_string("'test.txt") => ''\''test.txt'
+ */
+static char *
+escape_shell_arg_string (char *str)
+{
+ char *p = str;
+ int need_space = 2; /* ' at begin and end */
+
+ while (*p != '\0')
+ {
+ if (*p == '\'')
+ need_space += 4; /* ' to '\'', length is 4 */
+ else
+ need_space++;
+
+ p++;
+ }
+
+ char *new_str = xnew (need_space + 1, char);
+ new_str[0] = '\'';
+ new_str[need_space-1] = '\'';
+
+ int i = 1; /* skip first byte */
+ p = str;
+ while (*p != '\0')
+ {
+ new_str[i] = *p;
+ if (*p == '\'')
+ {
+ new_str[i+1] = '\\';
+ new_str[i+2] = '\'';
+ new_str[i+3] = '\'';
+ i += 3;
+ }
+
+ i++;
+ p++;
+ }
+
+ new_str[need_space] = '\0';
+ return new_str;
+}
+
static void
do_move_file(const char *src_file, const char *dst_file)
{
- emacs-28 updated (ae9bfed50db -> f7bd5ac5521), Stefan Kangas, 2023/02/17
- emacs-28 e61d743d440 6/8: Update NEWS for Emacs 28.3, Stefan Kangas, 2023/02/17
- emacs-28 5d05ea803e9 3/8: Fixed ctags local command execute vulnerability, Stefan Kangas, 2023/02/17
- emacs-28 22fb5ff5126 2/8: Fix ruby-mode.el local command injection vulnerability (bug#60268), Stefan Kangas, 2023/02/17
- emacs-28 ba3aba3096a 7/8: Bump Emacs version to 28.3, Stefan Kangas, 2023/02/17
- emacs-28 e339926272a 4/8: Fix etags local command injection vulnerability,
Stefan Kangas <=
- emacs-28 f7bd5ac5521 8/8: Update HISTORY for Emacs 28.3, Stefan Kangas, 2023/02/17
- emacs-28 807d2d5b3a7 1/8: Fix htmlfontify.el command injection vulnerability., Stefan Kangas, 2023/02/17
- emacs-28 4a77fcb1478 5/8: Update ChangeLog and AUTHORS for Emacs 28.3, Stefan Kangas, 2023/02/17