Skip to content
This repository has been archived by the owner. It is now read-only.
Browse files
Sanitize inputs to bookmark-cmd (#591)
Newsbeuter didn't properly shell-escape the arguments passed to
bookmarking command, which allows a remote attacker to perform remote
code execution by crafting an RSS item whose title and/or URL contain
something interpretable by the shell (most notably subshell

This has been reported by Jeriko One <>, complete with
PoC and a patch.

This vulnerability was assigned CVE-2017-12904.
  • Loading branch information
Minoru committed Aug 17, 2017
1 parent 2619d1f commit 96e9506ae9e252c548665152d1b8968297128307
Showing with 4 additions and 4 deletions.
  1. +4 −4 src/controller.cpp
@@ -1344,12 +1344,12 @@ std::string controller::bookmark(
std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
if (bookmark_cmd.length() > 0) {
std::string cmdline = strprintf::fmt("%s '%s' %s %s %s",
std::string cmdline = strprintf::fmt("%s '%s' '%s' '%s' '%s'",
utils::replace_all(url,"'", "%27"),
utils::replace_all(title,"'", "%27"),
utils::replace_all(description,"'", "%27"),
utils::replace_all(feed_title,"'", "%27"));

LOG(level::DEBUG, "controller::bookmark: cmd = %s", cmdline);

0 comments on commit 96e9506

Please sign in to comment.