Sanitize inputs to bookmark-cmd (#591)

Newsbeuter didn't properly shell-escape the arguments passed to bookmarking command, which allows a remote attacker to perform remote code execution by crafting an RSS item whose title and/or URL contain something interpretable by the shell (most notably subshell invocations.) This has been reported by Jeriko One <jeriko.one@gmx.us>, complete with PoC and a patch. This vulnerability was assigned CVE-2017-12904.
akrennmair · Aug 19, 2017 · d146018 · d146018
1 parent 969fcb1
commit d146018
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/controller.cpp b/src/controller.cpp
@@ -1275,9 +1275,10 @@ std::string controller::bookmark(const std::string& url, const std::string& titl
 	std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
 	bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
 	if (bookmark_cmd.length() > 0) {
-		std::string cmdline = utils::strprintf("%s '%s' %s %s",
+		std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
 		                                       bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
-		                                       stfl::quote(title).c_str(), stfl::quote(description).c_str());
+		                                       utils::replace_all(title,"'", "%27").c_str(),
+		                                       utils::replace_all(description,"'", "%27").c_str());
 
 		LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());