bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#60268: [PATCH] Fix ruby-mode.el local command injection vulnerabilit

From: Dmitry Gutov
Subject: bug#60268: [PATCH] Fix ruby-mode.el local command injection vulnerability
Date: Sat, 24 Dec 2022 01:43:56 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.4.2 
Version: 29.1

On 23/12/2022 06:56, lux wrote:

In ruby-mode.el, the 'ruby-find-library-file' function have a local
command injection vulnerability:

        (defun ruby-find-library-file (&optional feature-name)
          (interactive)
          ...
          (shell-command-to-string (concat "gem which "
        (shell-quote-argument feature-name))) ...)

The 'ruby-find-library-file' is a interactive function, and bound to the
shortcut key C-c C-f. Inside the function, the external command 'gem' is
called through 'shell-command-to-string', but the 'feature-name'
parameters are not escape.

So, if the Ruby source file contains the following:

        require 'irb;id'

and typing C-c C-f, there is a risk of executing unexpected orders, for
example:

        (ruby-find-library-file "irb;uname")
        #<buffer irb.rb
        Linux>

Although the probability of being exploited is low, but I think it's
still necessary to avoid this kind of security problem.

The attachment is the patch file, thanks.


Thanks! Installed.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]