From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: lux Newsgroups: gmane.emacs.bugs Subject: bug#59817: [PATCH] Fix etags local command injection vulnerability Date: Tue, 6 Dec 2022 15:48:10 +0800 Message-ID: References: <83r0xf9qsx.fsf@gnu.org> <834jua9ggd.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/FwVzzdtNKr4yNw4mD=nQy5f" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="22697"; mail-complaints-to="usenet@ciao.gmane.io" Cc: Stefan Kangas , 59817@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Tue Dec 06 08:57:24 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p2SpO-0005iP-Nt for geb-bug-gnu-emacs@m.gmane-mx.org; Tue, 06 Dec 2022 08:57:23 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1p2Sp8-0002XA-1W; Tue, 06 Dec 2022 02:57:06 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p2Sp5-0002Wi-D8 for bug-gnu-emacs@gnu.org; Tue, 06 Dec 2022 02:57:04 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1p2Sp4-0001ca-Ts for bug-gnu-emacs@gnu.org; Tue, 06 Dec 2022 02:57:02 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1p2Sp4-0004Dd-A2 for bug-gnu-emacs@gnu.org; Tue, 06 Dec 2022 02:57:02 -0500 X-Loop: help-debbugs@gnu.org Resent-From: lux Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 06 Dec 2022 07:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 59817 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 59817-submit@debbugs.gnu.org id=B59817.167031341916211 (code B ref 59817); Tue, 06 Dec 2022 07:57:02 +0000 Original-Received: (at 59817) by debbugs.gnu.org; 6 Dec 2022 07:56:59 +0000 Original-Received: from localhost ([127.0.0.1]:41321 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2Soz-0004DP-QR for submit@debbugs.gnu.org; Tue, 06 Dec 2022 02:56:59 -0500 Original-Received: from out203-205-221-221.mail.qq.com ([203.205.221.221]:49347) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p2Sos-0004DJ-5M for 59817@debbugs.gnu.org; Tue, 06 Dec 2022 02:56:56 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1670313400; bh=JOu1GaxAvqUY2u+IvYvDWnqqM72KSZ8Gq/jUmw78viw=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=X8Rdl6QbuOJLvCX9DKfpTSGVSxIklm1atlAHx83nKDU/IYUEcR5o+PaDl4JRsj/ir BnNujbPMrYuSC6lEuu+5bgAoFnq0zaN7M/+5vpgGl4V7Yx/AhHbtb55GITyA8nRLAu 8NEho3abI0F2CbR23wZ7FtG3vwVdK/qdpF+PB5MI= Original-Received: from lx-pc ([1.14.69.203]) by newxmesmtplogicsvrszc1-0.qq.com (NewEsmtp) with SMTP id E269422D; Tue, 06 Dec 2022 15:56:38 +0800 X-QQ-mid: xmsmtpt1670313398t4wvl22q3 X-QQ-XMAILINFO: OUMxvQDaATie1h/6aekoVE8149TL6j3w1RNvzMUuXklFv4x9FJQMsdWq9WXh9R p0a7BcGRmb4C+fujgdera8z27/fWSnH0WwEX2Nvi+GupOhz7CDQp9zIOfX45HJ/xfp/u2OPG402M iJXlIwL/iK6/8EpB5ltw3kBqCPVswIijPKZDDje75ZE7UOMFnGr684U+4j43u5E68pWPjILUh8wS 8kJqiw5OU8u+J2L9/6ZXGL1DI5TrMxIv10TkAxJQtkyixuUEkzMieotHbpDr84z75Neukhsxt4M3 tLr5WzzbRbc3+ed+kly5+TxUEO4joOdH6Ew+apyTBa35zlHaaDCww/N7uOnbtxjYh58ySU3Pc5Ga ISKiDJSN5RZMqZTTEE3ZFXe6nIRiH1kV92aPGbY28nMC3uTPr+8gTgC6PnuO+VQFm0Qrq665wxmg /EefAoZwW9i2kGSdGBKC1g7wHeFNcs/2KqVY8Chfk9NsoDTgMDOzFSpf3uuihguLgFKzReB0omI8 1NfMdbki03I0ViK5ffVRZIim9TqRd/3o364+b+DYYIwaAVHnSJ1JGq8tDeCqn8Au4+flgolnIxpD yBAIsYEDeaMIH16bPqw7aOVuJq75P4cpbC6Cc7Bn6ZOML6VKE6rFr091gaUYVmjUq+DspUVa1hP7 lXx5EN+XawvE90Z1WMuNUIHYcyhcG9VDOuyqa9TArQhXOuCIgJjZh7OzDPac3SnDUFyuWuCd5fbc iQp8P+4vQBAN7vU9oUV3d1uvBUANvGpet2cqj+Td0SNTsAvfH8DidTWgZDF2XZRTWFCth1syYeMZ WtySifruw8j+XGJ8Di0RDzCoiTlFM34E0PveJxf8 X-OQ-MSGID: <20221206154810.4a8b029c@lx-pc> In-Reply-To: <834jua9ggd.fsf@gnu.org> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.35; x86_64-redhat-linux-gnu) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:250091 Archived-At: --MP_/FwVzzdtNKr4yNw4mD=nQy5f Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline On Mon, 05 Dec 2022 14:34:58 +0200 Eli Zaretskii wrote: > There's no reason to try detecting which characters are dangerous and > which aren't. We should instead quote all the file names that come > from outside of the program, so that what's inside the quotes is > interpreted verbatim. Thanks, this is new patch. --MP_/FwVzzdtNKr4yNw4mD=nQy5f Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-Fix-etags-local-command-injection-vulnerability.patch >From 3ba143533d74d4caf59a192de6cab4a130140ce7 Mon Sep 17 00:00:00 2001 From: lu4nx Date: Tue, 6 Dec 2022 15:42:40 +0800 Subject: [PATCH] Fix etags local command injection vulnerability * lib-src/etags.c: (escape_shell_arg_string): New function. --- lib-src/etags.c | 58 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/lib-src/etags.c b/lib-src/etags.c index d1d20858cd..c3ecbc2221 100644 --- a/lib-src/etags.c +++ b/lib-src/etags.c @@ -401,6 +401,7 @@ #define xrnew(op, n, m) ((op) = xnrealloc (op, n, (m) * sizeof *(op))) static void put_entries (node *); static void cleanup_tags_file (char const * const, char const * const); +static char* escape_shell_arg_string (char *); static void do_move_file (const char *, const char *); static char *concat (const char *, const char *, const char *); static char *skip_spaces (char *); @@ -1716,8 +1717,12 @@ process_file_name (char *file, language *lang) char *cmd1 = concat (compr->command, " \"", real_name); char *cmd = concat (cmd1, "\" > ", tmp_name); #else - char *cmd1 = concat (compr->command, " '", real_name); - char *cmd = concat (cmd1, "' > ", tmp_name); + char *new_real_name = escape_shell_arg_string (real_name); + char *new_tmp_name = escape_shell_arg_string (tmp_name); + char *cmd1 = concat (compr->command, " ", new_real_name); + char *cmd = concat (cmd1, " > ", new_tmp_name); + free (new_real_name); + free (new_tmp_name); #endif free (cmd1); inf = (system (cmd) == -1 @@ -7707,6 +7712,55 @@ etags_mktmp (void) return templt; } +/* + * Adds single quotes around a string, if found single quotes, escaped it. + * Return a newly-allocated string. + * + * For example: + * escape_shell_arg_string("test.txt") => 'test.txt' + * escape_shell_arg_string("'test.txt") => ''\''test.txt' + */ +static char* +escape_shell_arg_string (char *str) +{ + char *p = str; + int need_space = 2; /* ' at begin and end */ + + while (*p != '\0') + { + if (*p == '\'') + need_space += 4; /* ' to '\'', length is 4 */ + else + need_space++; + + p++; + } + + char *new_str = xnew (need_space + 1, char); + new_str[0] = '\''; + new_str[need_space-1] = '\''; + + int i = 1; /* skip first byte */ + p = str; + while (*p != '\0') + { + new_str[i] = *p; + if (*p == '\'') + { + new_str[i+1] = '\\'; + new_str[i+2] = '\''; + new_str[i+3] = '\''; + i += 3; + } + + i++; + p++; + } + + new_str[need_space] = '\0'; + return new_str; +} + static void do_move_file(const char *src_file, const char *dst_file) { -- 2.38.1 --MP_/FwVzzdtNKr4yNw4mD=nQy5f--