Skip to content
This repository was archived by the owner on Oct 10, 2019. It is now read-only.

Commit 96e9506

Browse files
committed
Sanitize inputs to bookmark-cmd (#591)
Newsbeuter didn't properly shell-escape the arguments passed to bookmarking command, which allows a remote attacker to perform remote code execution by crafting an RSS item whose title and/or URL contain something interpretable by the shell (most notably subshell invocations.) This has been reported by Jeriko One <jeriko.one@gmx.us>, complete with PoC and a patch. This vulnerability was assigned CVE-2017-12904.
1 parent 2619d1f commit 96e9506

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

Diff for: src/controller.cpp

+4-4
Original file line numberDiff line numberDiff line change
@@ -1344,12 +1344,12 @@ std::string controller::bookmark(
13441344
std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
13451345
bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
13461346
if (bookmark_cmd.length() > 0) {
1347-
std::string cmdline = strprintf::fmt("%s '%s' %s %s %s",
1347+
std::string cmdline = strprintf::fmt("%s '%s' '%s' '%s' '%s'",
13481348
bookmark_cmd,
13491349
utils::replace_all(url,"'", "%27"),
1350-
quote_empty(stfl::quote(title)),
1351-
quote_empty(stfl::quote(description)),
1352-
quote_empty(stfl::quote(feed_title)));
1350+
utils::replace_all(title,"'", "%27"),
1351+
utils::replace_all(description,"'", "%27"),
1352+
utils::replace_all(feed_title,"'", "%27"));
13531353

13541354
LOG(level::DEBUG, "controller::bookmark: cmd = %s", cmdline);
13551355

0 commit comments

Comments
 (0)