Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix RCE vulnerability on feed enrichment
Currently there are a few places in the code that do not check URLs for
the presence of a command prefix, allowing malicious websites to run any
command in the local system.
Trying to run feed enrichment (i.e. after option "Extract full content
from HTML5 and Google AMP" is enabled) in a subscription that produces
this item:
<item>
<title>Check /tmp/bad-item-link.txt</title>
<link>|date >/tmp/bad-item-link.txt</link>
</item>
will cause Liferea to call update_request_new on URL
"|date >/tmp/bad-item-link.txt" and then blindly run the command. A
similar effect happens when running the feed enrichment in a item that
links to a document like this:
<!DOCTYPE html>
<html>
<head>
<title>AMP URL RCE PoC</title>
<link rel="amphtml" href="|date > /tmp/bad-amp-url.txt">
</head>
<body>
Check the results in /tmp/bad-amp-url.txt
</body>
</html>
once Liferea tries to load the AMP URL.
There are other calls to update_request_* functions where URLs are
validated correctly (e.g. in feed icons and comments) and do not trigger
this vulnerability. Since the subscription update is the exception where
feed commands are supported (and welcome!) I chose to lock this feature
behind a non-persistent flag and only enable it when required. This is
safer than adding the flag in updateOptions, which is usually reused in
subordinate requests.
This failure exists since commits b828838
and b67dbba from Setember 2017.- Loading branch information