Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

security: shellwords escape attachment file names to prevent remote c…

…ode injection

Merge peristent temp files and fix quotation of shellwords escaped string

s|returnded|returned|

Conflicts:
	doc/Hooks.txt
	lib/sup/message_chunks.rb
  • Loading branch information...
commit 8b46cdbfc14e07ca07d403aa28b0e7bc1c544785 1 parent 7eaf96e
@gauteh gauteh authored
Showing with 20 additions and 4 deletions.
  1. +2 −1  doc/Hooks.txt
  2. +18 −3 lib/sup/message_chunks.rb
View
3  doc/Hooks.txt
@@ -50,10 +50,11 @@ before-poll:
mime-decode:
## turn text/html attachments into plain text, unless they are part
## of a multipart/alternative pair
+ require 'shellwords'
unless sibling_types.member? "text/plain"
case content_type
when "text/html"
- `/usr/bin/w3m -dump -T #{content_type} '#{filename}'`
+ `/usr/bin/w3m -dump -T #{content_type} #{Shellwords.escape filename}`
end
end
View
21 lib/sup/message_chunks.rb
@@ -60,6 +60,8 @@ def make_tmpname(prefix_suffix, n)
module Redwood
module Chunk
class Attachment
+ ## please see note in write_to_disk on important usage
+ ## of quotes to avoid remote command injection.
HookManager.register "mime-decode", <<EOS
Decodes a MIME attachment into text form. The text will be displayed
directly in Sup. For attachments that you wish to use a separate program
@@ -76,6 +78,9 @@ class Attachment
The decoded text of the attachment, or nil if not decoded.
EOS
+
+ ## please see note in write_to_disk on important usage
+ ## of quotes to avoid remote command injection.
HookManager.register "mime-view", <<EOS
Views a non-text MIME attachment. This hook allows you to run
third-party programs for attachments that require such a thing (e.g.
@@ -122,6 +127,8 @@ def initialize content_type, filename, encoded_content, sibling_types
when /^text\/plain\b/
@raw_content
else
+ ## please see note in write_to_disk on important usage
+ ## of quotes to avoid remote command injection.
HookManager.run "mime-decode", :content_type => content_type,
:filename => lambda { write_to_disk },
:charset => encoded_content.charset,
@@ -153,11 +160,13 @@ def expandable?; !viewable? end
def initial_state; :open end
def viewable?; @lines.nil? end
def view_default! path
+ ## please see note in write_to_disk on important usage
+ ## of quotes to avoid remote command injection.
case RbConfig::CONFIG['arch']
when /darwin/
- cmd = "open '#{path}'"
+ cmd = "open #{path}"
else
- cmd = "/usr/bin/run-mailcap --action=view '#{@content_type}:#{path}'"
+ cmd = "/usr/bin/run-mailcap --action=view #{@content_type}:#{path}"
end
debug "running: #{cmd.inspect}"
BufferManager.shell_out(cmd)
@@ -165,6 +174,8 @@ def view_default! path
end
def view!
+ ## please see note in write_to_disk on important usage
+ ## of quotes to avoid remote command injection.
write_to_disk do |file|
@@view_tempfiles.push file # make sure the tempfile is not garbage collected before sup stops
@@ -175,6 +186,10 @@ def view!
end
end
+ ## note that the path returned from write_to_disk is
+ ## Shellwords.escaped and is intended to be used without single
+ ## or double quotes. the use of either opens sup up for remote
+ ## code injection in the file name.
def write_to_disk
begin
file = Tempfile.new(["sup", Shellwords.escape(@filename.gsub("/", "_")) || "sup-attachment"])
@@ -243,7 +258,7 @@ def color; :sig_color end
class EnclosedMessage
attr_reader :lines
def initialize from, to, cc, date, subj
- @from = from ? "unknown sender" : from.full_adress
+ @from = from ? "unknown sender" : from.full_address
@to = to ? "" : to.map { |p| p.full_address }.join(", ")
@cc = cc ? "" : cc.map { |p| p.full_address }.join(", ")
if date

0 comments on commit 8b46cdb

Please sign in to comment.
Something went wrong with that request. Please try again.