From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability
Date: Tue, 27 Dec 2022 16:11:21 +0200
Message-ID: <83k02d0wdy.fsf@gnu.org>
References: <tencent_F604EB715ACE18D754D6B8DDFDC9E785370A@qq.com>
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="28415"; mail-complaints-to="usenet@ciao.gmane.io"
Cc: 60295-done@debbugs.gnu.org
To: lux <lx@shellcodes.org>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Dec 27 15:12:26 2022
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1pAAgs-0007GA-Eb
	for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 27 Dec 2022 15:12:26 +0100
Original-Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <bug-gnu-emacs-bounces@gnu.org>)
	id 1pAAgX-0007on-UK; Tue, 27 Dec 2022 09:12:06 -0500
Original-Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pAAgV-0007jj-8g
 for bug-gnu-emacs@gnu.org; Tue, 27 Dec 2022 09:12:03 -0500
Original-Received: from debbugs.gnu.org ([209.51.188.43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1pAAgU-0004GC-M5
 for bug-gnu-emacs@gnu.org; Tue, 27 Dec 2022 09:12:02 -0500
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1pAAgU-0008NK-3d
 for bug-gnu-emacs@gnu.org; Tue, 27 Dec 2022 09:12:02 -0500
Resent-From: Eli Zaretskii <eliz@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-To: bug-gnu-emacs@gnu.org
Resent-Date: Tue, 27 Dec 2022 14:12:01 +0000
Resent-Message-ID: <handler.60295.D60295.167215028732148.done@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: cc-closed 60295
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: patch security
Mail-Followup-To: 60295@debbugs.gnu.org, eliz@gnu.org, lx@shellcodes.org
Original-Received: via spool by 60295-done@debbugs.gnu.org id=D60295.167215028732148
 (code D ref 60295); Tue, 27 Dec 2022 14:12:01 +0000
Original-Received: (at 60295-done) by debbugs.gnu.org; 27 Dec 2022 14:11:27 +0000
Original-Received: from localhost ([127.0.0.1]:54929 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1pAAfu-0008MS-Ue
 for submit@debbugs.gnu.org; Tue, 27 Dec 2022 09:11:27 -0500
Original-Received: from eggs.gnu.org ([209.51.188.92]:53272)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <eliz@gnu.org>) id 1pAAft-0008MG-Fy
 for 60295-done@debbugs.gnu.org; Tue, 27 Dec 2022 09:11:25 -0500
Original-Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1pAAfi-00046X-VO; Tue, 27 Dec 2022 09:11:19 -0500
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=8tpHCuZIhaoIUB5y3oZ/RESnq9CGxRZghjcfiKA6C88=; b=GxNKwraBzBpp
 i14FqvvaUV3rfMMqDGLaXJ/j+299TUncsN4Cx5vZT4X5C1J9U66OMt5hdTynt/2wcm1gsew4PamLE
 PFQGwqWO/LLULU5yPrRNnPk3R8Qm1scH1Lsft2qzgvsBGkA6KxaKsvDPvzEGaJNDT3OmNNIS3CPc5
 dXPc7jjvMoS4+Y1CZ0GYUbSoAVulf9UAvAdViNsawoz4bdFlyEdFFJXuvyLDJQvXSug22fKu7OZcy
 PYX2+NtcBkAnKmLokq8eZ2puSsjgyImiUNSNUz0VGSa+dSJ8658B5dhCuDO4gBD31C6vk5+eb90dt
 cHrloQKtvP5P4RZmFjhGNw==;
Original-Received: from [87.69.77.57] (helo=home-c4e4a596f7)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@gnu.org>)
 id 1pAAfi-0007Iu-Cs; Tue, 27 Dec 2022 09:11:14 -0500
In-Reply-To: <tencent_F604EB715ACE18D754D6B8DDFDC9E785370A@qq.com> (message
 from lux on Sat, 24 Dec 2022 17:03:09 +0800)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
 the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
 <mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org
Xref: news.gmane.io gmane.emacs.bugs:251954
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/251954>

> Date: Sat, 24 Dec 2022 17:03:09 +0800
> From: lux <lx@shellcodes.org>
> 
> Test information:
> Emacs version: GNU Emacs 29.0.60
> OS: Fedora Linux 37
> 
> htmlfontify.el has a command injection vulnerability:
> 
> (defcustom hfy-istext-command "file %s | sed -e 's@^[^:]*:[ \t]*@@'"
>   :tag   "istext-command"
>   :type  '(string))
> 
> (defun hfy-text-p (srcdir file)
>   (let* ((cmd (format hfy-istext-command (expand-file-name file
> srcdir))) (rsp (shell-command-to-string    cmd)))
>     ...))
> 
> Parameter 'file' and parameter 'srcdir' come from external input, and 
> parameters are not escape. So, if file name or directory name contains
> shell characters and will be executed.
> 
> For example:
> 
> $ mkdir vul_test
> $ cd vul_test
> $ echo hello > ";uname>hack.txt#"
> $ ls
> ;uname>hack.txt#
> 
> In Emacs, type M-x htmlfontify-copy-and-link-dir, and inputing vul_test
> path, at this time, hack.txt is added to the vul_test directory:
> 
> $ ls
> ;uname>hack.txt#  hack.txt#
> $ cat hack.txt\#
> Linux
> 
> The attachment is the patch file, thanks.

Thanks, installed on the emacs-29 branch, and closing the bug.