[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability
From: |
lux |
Subject: |
bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability |
Date: |
Sat, 24 Dec 2022 17:03:09 +0800 |
Test information:
Emacs version: GNU Emacs 29.0.60
OS: Fedora Linux 37
htmlfontify.el has a command injection vulnerability:
(defcustom hfy-istext-command "file %s | sed -e 's@^[^:]*:[ \t]*@@'"
:tag "istext-command"
:type '(string))
(defun hfy-text-p (srcdir file)
(let* ((cmd (format hfy-istext-command (expand-file-name file
srcdir))) (rsp (shell-command-to-string cmd)))
...))
Parameter 'file' and parameter 'srcdir' come from external input, and
parameters are not escape. So, if file name or directory name contains
shell characters and will be executed.
For example:
$ mkdir vul_test
$ cd vul_test
$ echo hello > ";uname>hack.txt#"
$ ls
;uname>hack.txt#
In Emacs, type M-x htmlfontify-copy-and-link-dir, and inputing vul_test
path, at this time, hack.txt is added to the vul_test directory:
$ ls
;uname>hack.txt# hack.txt#
$ cat hack.txt\#
Linux
The attachment is the patch file, thanks.
0001-Fix-htmlfontify.el-command-injection-vulnerability.patch
Description: Text Data
- bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability,
lux <=