This repository has been archived by the owner. It is now read-only.
Please sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Sanitize inputs to bookmark-cmd (#591)
Newsbeuter didn't properly shell-escape the arguments passed to bookmarking command, which allows a remote attacker to perform remote code execution by crafting an RSS item whose title and/or URL contain something interpretable by the shell (most notably subshell invocations.) This has been reported by Jeriko One <email@example.com>, complete with PoC and a patch. This vulnerability was assigned CVE-2017-12904.
- Loading branch information
Showing with 4 additions and 4 deletions.
- +4 −4 src/controller.cpp