emacs-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#60295: closed ([PATCH] Fix htmlfontify.el command injection vulnerab

From: GNU bug Tracking System
Subject: bug#60295: closed ([PATCH] Fix htmlfontify.el command injection vulnerability)
Date: Tue, 27 Dec 2022 14:12:01 +0000 
Your message dated Tue, 27 Dec 2022 16:11:21 +0200
with message-id <83k02d0wdy.fsf@gnu.org>
and subject line Re: bug#60295: [PATCH] Fix htmlfontify.el command injection 
vulnerability
has caused the debbugs.gnu.org bug report #60295,
regarding [PATCH] Fix htmlfontify.el command injection vulnerability
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)


-- 
60295: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=60295
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems
--- Begin Message --- Subject: [PATCH] Fix htmlfontify.el command injection vulnerability Date: Sat, 24 Dec 2022 17:03:09 +0800 
Test information:
Emacs version: GNU Emacs 29.0.60
OS: Fedora Linux 37

htmlfontify.el has a command injection vulnerability:

(defcustom hfy-istext-command "file %s | sed -e 's@^[^:]*:[ \t]*@@'"
  :tag   "istext-command"
  :type  '(string))

(defun hfy-text-p (srcdir file)
  (let* ((cmd (format hfy-istext-command (expand-file-name file
srcdir))) (rsp (shell-command-to-string    cmd)))
    ...))

Parameter 'file' and parameter 'srcdir' come from external input, and 
parameters are not escape. So, if file name or directory name contains
shell characters and will be executed.

For example:

$ mkdir vul_test
$ cd vul_test
$ echo hello > ";uname>hack.txt#"
$ ls
;uname>hack.txt#

In Emacs, type M-x htmlfontify-copy-and-link-dir, and inputing vul_test
path, at this time, hack.txt is added to the vul_test directory:

$ ls
;uname>hack.txt#  hack.txt#
$ cat hack.txt\#
Linux

The attachment is the patch file, thanks.

Attachment: 0001-Fix-htmlfontify.el-command-injection-vulnerability.patch
Description: Text Data


--- End Message ---
--- Begin Message --- Subject: Re: bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability Date: Tue, 27 Dec 2022 16:11:21 +0200 
> Date: Sat, 24 Dec 2022 17:03:09 +0800
> From: lux <lx@shellcodes.org>
> 
> Test information:
> Emacs version: GNU Emacs 29.0.60
> OS: Fedora Linux 37
> 
> htmlfontify.el has a command injection vulnerability:
> 
> (defcustom hfy-istext-command "file %s | sed -e 's@^[^:]*:[ \t]*@@'"
>   :tag   "istext-command"
>   :type  '(string))
> 
> (defun hfy-text-p (srcdir file)
>   (let* ((cmd (format hfy-istext-command (expand-file-name file
> srcdir))) (rsp (shell-command-to-string    cmd)))
>     ...))
> 
> Parameter 'file' and parameter 'srcdir' come from external input, and 
> parameters are not escape. So, if file name or directory name contains
> shell characters and will be executed.
> 
> For example:
> 
> $ mkdir vul_test
> $ cd vul_test
> $ echo hello > ";uname>hack.txt#"
> $ ls
> ;uname>hack.txt#
> 
> In Emacs, type M-x htmlfontify-copy-and-link-dir, and inputing vul_test
> path, at this time, hack.txt is added to the vul_test directory:
> 
> $ ls
> ;uname>hack.txt#  hack.txt#
> $ cat hack.txt\#
> Linux
> 
> The attachment is the patch file, thanks.

Thanks, installed on the emacs-29 branch, and closing the bug.

--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]