[Global-commit] global/htags htags.c

global-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Global-commit] global/htags htags.c

From:	Shigio YAMAGUCHI
Subject:	[Global-commit] global/htags htags.c
Date:	Thu, 9 May 2024 03:21:32 -0400 (EDT)

CVSROOT:        /sources/global
Module name:    global
Changes by:     Shigio YAMAGUCHI <shigio>       24/05/09 03:21:32

Modified files:
        htags          : htags.c 

Log message:
        [FIXED BUGS]
        A security vulnerability was found in htags.
        Htags took the input provided in the dbpath option (-d) and
        appended it to a command string that will later be executed by
        system() function, without any escaping, leading to a command
        injection vulnerability.
        
                $ rm -f /tmp/w
                $ htags -g -q -d '$(pwd>/tmp/w)'
                $ cat /tmp/w
                /tmp/global/htags
        
        It was fixed. Now it just outputs an error:
        
                $ rm -f /tmp/w
                $ htags -g -q -d '$(pwd>/tmp/w)'
                gtags: directory '/tmp/global/htags/$(pwd>' not found.
                $ cat /tmp/w
                cat: /tmp/w: No such file or directory

CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/global/htags/htags.c?cvsroot=global&r1=1.235&r2=1.236

[Prev in Thread]

Current Thread

[Next in Thread]

[Global-commit] global/htags htags.c, Shigio YAMAGUCHI <=

Index(es):
- Date
- Thread