[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#59817: [PATCH] Fix etags local command injection vulnerability
From: |
Eli Zaretskii |
Subject: |
bug#59817: [PATCH] Fix etags local command injection vulnerability |
Date: |
Tue, 06 Dec 2022 16:52:40 +0200 |
> Date: Tue, 6 Dec 2022 21:11:35 +0800
> From: lux <lx@shellcodes.org>
> Cc: stefankangas@gmail.com, 59817@debbugs.gnu.org
>
> On Tue, 06 Dec 2022 14:55:09 +0200
> Eli Zaretskii <eliz@gnu.org> wrote:
>
> > The "MSDOS || DOS_NT" case also needs a small change:
> >
> > > char *cmd = concat (cmd1, "\" > ", tmp_name);
> >
> > This doesn't quote tmp_name; it should.
>
> Because double quotes have been used here
The double quotes are only around real_name, but not around tmp_name. One
of the issues you originally described was a bogus value of the TEMP
environment variable, which gets used in etags_mktmp that produces tmp_name.
> I have not reproduced this
> vulnerability in Windows, so I have not dealt:
>
> $ touch "etags.c\" && ipconfig \".z"
> $ ./etags.exe "etags.c\" && ipconfig \".z"
> etags.c" && ipconfig ".z: Invalid argument
Windows file names cannot include quote characters, so don't use them. And
it's TEMP value that you need to tweak, not the file names etags scans.
> > I don't understand why you are adding ''\'' and not just \'.
> > Wouldn't the latter work for some reason?
> >
>
> Because the single quote escape is: '\''
>
> $ echo ''\''hello world'\'''
> 'hello world'
> $ echo 'I'\''m a poor man'
> I'm a poor man
I don't understand why you need an extra pair of quotes in the expanded
string.
$ echo \''hello; world'
'hello; world
As you see, the semi-colon was successfully hidden from the shell.
What am I missing?
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/04
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/04
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Stefan Kangas, 2022/12/04
- Message not available
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/05
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability,
Eli Zaretskii <=
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Francesco Potortì, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Francesco Potortì, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Andreas Schwab, 2022/12/06
- bug#59817: [PATCH] Fix etags local command injection vulnerability, Eli Zaretskii, 2022/12/06
bug#59817: [PATCH] Fix etags local command injection vulnerability, lux, 2022/12/04