Permalink
Browse files

Sanitize inputs to bookmark-cmd (#591)

Newsbeuter didn't properly shell-escape the arguments passed to
bookmarking command, which allows a remote attacker to perform remote
code execution by crafting an RSS item whose title and/or URL contain
something interpretable by the shell (most notably subshell
invocations.)

This has been reported by Jeriko One <jeriko.one@gmx.us>, complete with
PoC and a patch.

This vulnerability was assigned CVE-2017-12904.
  • Loading branch information...
Minoru committed Aug 13, 2017
1 parent 2619d1f commit 96e9506ae9e252c548665152d1b8968297128307
Showing with 4 additions and 4 deletions.
  1. +4 −4 src/controller.cpp
@@ -1344,12 +1344,12 @@ std::string controller::bookmark(
std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
if (bookmark_cmd.length() > 0) {
std::string cmdline = strprintf::fmt("%s '%s' %s %s %s",
std::string cmdline = strprintf::fmt("%s '%s' '%s' '%s' '%s'",
bookmark_cmd,
utils::replace_all(url,"'", "%27"),
quote_empty(stfl::quote(title)),
quote_empty(stfl::quote(description)),
quote_empty(stfl::quote(feed_title)));
utils::replace_all(title,"'", "%27"),
utils::replace_all(description,"'", "%27"),
utils::replace_all(feed_title,"'", "%27"));
LOG(level::DEBUG, "controller::bookmark: cmd = %s", cmdline);

0 comments on commit 96e9506

Please sign in to comment.