1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
From d1460189f6f810ca9a3687af7bc43feb7f2af2d9 Mon Sep 17 00:00:00 2001
From: Alexander Batischev <eual.jp@gmail.com>
Date: Sat, 19 Aug 2017 15:09:25 +0300
Subject: [PATCH] Sanitize inputs to bookmark-cmd (#591)
Newsbeuter didn't properly shell-escape the arguments passed to
bookmarking command, which allows a remote attacker to perform remote
code execution by crafting an RSS item whose title and/or URL contain
something interpretable by the shell (most notably subshell
invocations.)
This has been reported by Jeriko One <jeriko.one@gmx.us>, complete with
PoC and a patch.
This vulnerability was assigned CVE-2017-12904.
---
src/controller.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/controller.cpp b/src/controller.cpp
index 4fc10608..5c8e7b81 100644
--- a/src/controller.cpp
+++ b/src/controller.cpp
@@ -1275,9 +1275,10 @@ std::string controller::bookmark(const std::string& url, const std::string& titl
std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
if (bookmark_cmd.length() > 0) {
- std::string cmdline = utils::strprintf("%s '%s' %s %s",
+ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
- stfl::quote(title).c_str(), stfl::quote(description).c_str());
+ utils::replace_all(title,"'", "%27").c_str(),
+ utils::replace_all(description,"'", "%27").c_str());
LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());
|
