Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dangerous call to bash shell allows command injection #5

Closed
n303p4 opened this issue Apr 21, 2024 · 2 comments
Closed

Dangerous call to bash shell allows command injection #5

n303p4 opened this issue Apr 21, 2024 · 2 comments
Assignees
@Nyre221

Comments

@n303p4
Copy link

n303p4 commented Apr 21, 2024
edited
Loading

Kiview/src/documentviewer.cpp

Lines 42 to 47 in c065ebe

std::string command = libreofficeCommand + " --headless --nolockcheck --norestore --convert-to pdf '" + path + "' --outdir " + tempDir;
QProcess process;
process.setProgram(QStringLiteral("setsid"));
process.setArguments( QStringList() << QStringLiteral("bash") << QStringLiteral("-c") << QString::fromStdString(command) );

bash is called here and there's no input sanitization done on the file path.

As an example, if a filename includes the string ' & (cd && rm -rf *) & ', and an unwitting user previews it in Kiview, it'll wipe out the user's entire home directory without warning. Tested this in a VM.

Could avoid this in a number of ways, e.g. by not calling bash. I'm not familiar with QProcess usage, so I don't know what the "proper" way to handle command arguments here is, but as a rule of thumb, the file path itself should be treated as a singular argument, so that it can't accidentally be interpreted as a series of arguments that mean something totally different. You could probably also use LibreOfficeKit to avoid making an external command call in the first place.

Attached is a video illustrating a less damaging version:

command-injection.webm

@Nyre221
Copy link
Owner

Nyre221 commented Apr 21, 2024

Really interesting, I'll see what I can do.

In any case, I don't think it's the call to libreoffice that's the problem.
I also use bash to try to figure out the file type if there is no extension present and that is probably the problem in this case.

I will check every part of the code where I used bash and try to fix it.

For now use the flatpak version.

Thank you very much for pointing out this error to me.

@Nyre221 Nyre221 self-assigned this Apr 21, 2024
@Nyre221
Copy link
Owner

Nyre221 commented Apr 21, 2024

@n303p4
Thank you so much once again for reporting the issue.

I eliminated bash -c and gave the arguments directly to the exec and that allowed me to pass the path separately.

In dolphinbridge.cpp I put a check on the presence of some characters so as to avoid using xclip or wl-copy to restore the contents of the clipboard (This is necessary because KIview uses the clipboard to take the path from dolphin).

@Nyre221 Nyre221 mentioned this issue Apr 22, 2024
Open
@slynobody slynobody mentioned this issue Aug 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Nyre221 Nyre221

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@n303p4 @Nyre221