`` in author names are not escaped, allowing execution of arbitrary commands #17
Comments
|
At least this case would be simply fixed by using single instead of double quotes around the author names when writing that file. That would prevent all kinds of similar problems as well. |
|
So just to clarify the above, simply was a foolish choice of word. Yes, using single quotes instead of double solves the problem, but that will fail if the author's name contains one. 'Tim O'Really' for example. It's not possible to escape that as ' either. In bash, you can do $'Tim O'\Really' (which is what I tried), but apparently you can't in the gnuplot file. I'll investigate what else might be possible when I have time. |
|
(the other simple/obvious option would be to just remove any backtick characters from the author name, but just doing that may well leave other avenues of attack open - I was looking for a solution that ensures the name is taken as a literal string no matter what) |
|
Indeed. I was kind of hoping some gnuplot expert would pop in and tip us on how to do this properly, but alas, we will have to do with the unoptimal blacklisting. Thanks for reporting the bug. |
|
I think that solution is probably fine. I did have a good read of the documentation later, and I don't see any way of causing problems with any other characters other than the backtick. |
Whenever an author name contains
, they are output as-is in gnuplot files. gnuplot then runs the command that they contain, making it extremely unsafe to run gitstats on untrusted repositories, where author names could containmalicious command``.The text was updated successfully, but these errors were encountered: