From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: lux Newsgroups: gmane.emacs.bugs Subject: bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability Date: Sat, 24 Dec 2022 17:03:09 +0800 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/6/bfUDKMP5qnCmnSrDYfC2S" Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="28713"; mail-complaints-to="usenet@ciao.gmane.io" To: 60295@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Sat Dec 24 10:04:23 2022 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1p90S7-0007Fy-7F for geb-bug-gnu-emacs@m.gmane-mx.org; Sat, 24 Dec 2022 10:04:23 +0100 Original-Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1p90Rt-0004jp-HA; Sat, 24 Dec 2022 04:04:09 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p90Rn-0004jY-VP for bug-gnu-emacs@gnu.org; Sat, 24 Dec 2022 04:04:05 -0500 Original-Received: from debbugs.gnu.org ([209.51.188.43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1p90Rm-0002RQ-BT for bug-gnu-emacs@gnu.org; Sat, 24 Dec 2022 04:04:03 -0500 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1p90Rl-0003jR-VQ for bug-gnu-emacs@gnu.org; Sat, 24 Dec 2022 04:04:01 -0500 X-Loop: help-debbugs@gnu.org Resent-From: lux Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 24 Dec 2022 09:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 60295 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.167187261014336 (code B ref -1); Sat, 24 Dec 2022 09:04:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 24 Dec 2022 09:03:30 +0000 Original-Received: from localhost ([127.0.0.1]:41857 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p90RF-0003jA-Pb for submit@debbugs.gnu.org; Sat, 24 Dec 2022 04:03:30 -0500 Original-Received: from lists.gnu.org ([209.51.188.17]:50770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p90RE-0003j4-Hu for submit@debbugs.gnu.org; Sat, 24 Dec 2022 04:03:28 -0500 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p90RE-0004iJ-6p for bug-gnu-emacs@gnu.org; Sat, 24 Dec 2022 04:03:28 -0500 Original-Received: from out203-205-251-66.mail.qq.com ([203.205.251.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p90RA-0001Xf-RI for bug-gnu-emacs@gnu.org; Sat, 24 Dec 2022 04:03:27 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1671872593; bh=FaiC9M+YOjBVJaFHDoaGlaFlZYOqdZp3h8/Anc/CkI8=; h=Date:From:To:Subject; b=pFn4TDPJh+s0F/Sk++0FRZ4UuYDk55JAvwQgpfsLMYrEeLP8lHYo9EhX9Q2Oh4Wd9 MXicwo0SPwGOpaq7xtR9mI0eMBvUfpBYp9syGYnjdOrJzj0ktf9eQHZXNqqFuq3T8T uhPZPburiWksT5lSIXZWlMmNqUmXK6tBxKQvF+iU= Original-Received: from lx-pc ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrsza2-0.qq.com (NewEsmtp) with SMTP id CC196CE; Sat, 24 Dec 2022 17:03:12 +0800 X-QQ-mid: xmsmtpt1671872592t7kaaadly X-QQ-XMAILINFO: NafziRg7Bx69H6JljVnOydeN1xOuZ0lMnL2pw6v1/QE3zKTuH5vLJtY5Cmnf9d UrfxgD/FD9TLQRJKoxgTdnA0wDBUOrWdTe4pKeSEv0ydTLwshiqataPvXHm4VjNuI0i81YPm9AJp kRM+bhL1SOeuASyJ0MsnT4emVZFCQjS995ClYG5TUkrKzuUo5ro2YY+EUfxUbJltu8qbTeLHQXp1 DF1sRSZ9tvGTbkvqB0ysEF9dKw2mvLD1WCmfxPaWKWup0gAOyqY1NZ0eOe1OW8qFMTUS/GmN76cV 0tvp7u7z/rncHlda3hZGoiXz8SXrgaAhCToggRMCWHA2H1c+YNZl8QN69IcKGb9Sn7CzIEWCdCLc hM/YITe8V7hr5yNeZLJdnFmk8qEVWm3dv7RfgrMXo8OjK25Caw2a2D4KnwxjnJYk9Gm1J/1dvkE7 UiRmMas5seBykmZplH4sE0YlomhJhGacVIyhhweqGYriPyUUMEUcKIwCmWN/fRtTu+7b9IMUzea8 GEIiXbpWrbSQBDl6W+qeNMKhy92Fta7lff4z3yrsqKNM0ZFYmPpOpymSmTFH+yDXjz9omzLNU/DB TjziTD8U0F/VpH4JCgdfN7Oglvqe1sakEJRijDMgGYfNE1eEnCgXpR+sDhHogdz/VYqoKAr4XY2B Itw+Zc26WuG/yy05bgaWEIIdKhBHG3TXtLPFScvabuxjGbhKCKAuM/dbab3Is8J8/kzvNA+E0kl3 eWd1ZEmzn8gR0c+aJyX6Y6OsrsRPOXPbyegfp8hgJT444trcI6SbefAIyiI3ON1X+bO94qEYviwe EsYirWAm8vAEX5Om201uTbj5H5b09fLwdncQVqnJ X-OQ-MSGID: <20221224170309.43f024dc@lx-pc> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.35; x86_64-redhat-linux-gnu) Received-SPF: none client-ip=203.205.251.66; envelope-from=lx@shellcodes.org; helo=out203-205-251-66.mail.qq.com X-Spam_score_int: 10 X-Spam_score: 1.0 X-Spam_bar: + X-Spam_report: (1.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane-mx.org@gnu.org Xref: news.gmane.io gmane.emacs.bugs:251783 Archived-At: --MP_/6/bfUDKMP5qnCmnSrDYfC2S Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Test information: Emacs version: GNU Emacs 29.0.60 OS: Fedora Linux 37 htmlfontify.el has a command injection vulnerability: (defcustom hfy-istext-command "file %s | sed -e 's@^[^:]*:[ \t]*@@'" :tag "istext-command" :type '(string)) (defun hfy-text-p (srcdir file) (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) (rsp (shell-command-to-string cmd))) ...)) Parameter 'file' and parameter 'srcdir' come from external input, and parameters are not escape. So, if file name or directory name contains shell characters and will be executed. For example: $ mkdir vul_test $ cd vul_test $ echo hello > ";uname>hack.txt#" $ ls ;uname>hack.txt# In Emacs, type M-x htmlfontify-copy-and-link-dir, and inputing vul_test path, at this time, hack.txt is added to the vul_test directory: $ ls ;uname>hack.txt# hack.txt# $ cat hack.txt\# Linux The attachment is the patch file, thanks. --MP_/6/bfUDKMP5qnCmnSrDYfC2S Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-Fix-htmlfontify.el-command-injection-vulnerability.patch >From b97db7fc0d38595507ca78018724c769e873a469 Mon Sep 17 00:00:00 2001 From: Xi Lu Date: Sat, 24 Dec 2022 16:28:54 +0800 Subject: [PATCH] Fix htmlfontify.el command injection vulnerability. * lisp/htmlfontify.el (hfy-text-p): Fix command injection vulnerability. --- lisp/htmlfontify.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el index df4c6ab079..389b92939c 100644 --- a/lisp/htmlfontify.el +++ b/lisp/htmlfontify.el @@ -1850,7 +1850,7 @@ hfy-make-directory (defun hfy-text-p (srcdir file) "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." - (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) + (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) (rsp (shell-command-to-string cmd))) (string-match "text" rsp))) -- 2.38.1 --MP_/6/bfUDKMP5qnCmnSrDYfC2S--