[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#60268: [PATCH] Fix ruby-mode.el local command injection vulnerabilit
|
From: |
lux |
|
Subject: |
bug#60268: [PATCH] Fix ruby-mode.el local command injection vulnerability |
|
Date: |
Fri, 23 Dec 2022 12:56:30 +0800 |
In ruby-mode.el, the 'ruby-find-library-file' function have a local
command injection vulnerability:
(defun ruby-find-library-file (&optional feature-name)
(interactive)
...
(shell-command-to-string (concat "gem which "
(shell-quote-argument feature-name))) ...)
The 'ruby-find-library-file' is a interactive function, and bound to the
shortcut key C-c C-f. Inside the function, the external command 'gem' is
called through 'shell-command-to-string', but the 'feature-name'
parameters are not escape.
So, if the Ruby source file contains the following:
require 'irb;id'
and typing C-c C-f, there is a risk of executing unexpected orders, for
example:
(ruby-find-library-file "irb;uname")
#<buffer irb.rb
Linux>
Although the probability of being exploited is low, but I think it's
still necessary to avoid this kind of security problem.
The attachment is the patch file, thanks.
0001-Fix-etags-local-command-injection-vulnerability.patch
Description: Text Data
0001-Fix-ruby-mode.el-local-command-injection-vulnerabili.patch
Description: Text Data
- bug#60268: [PATCH] Fix ruby-mode.el local command injection vulnerability,
lux <=