1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
Description: Fix a RCE vulnerability on the bookmark command
Newsbeuter didn't properly escape the title and description fields before
passing them to the bookmarking program which could lead to remote code
execution using the shells command substitution functionality (e.g. "$()", ``,
etc)
Origin: upstream, https://github.com/akrennmair/newsbeuter/commit/96e9506ae9e252c548665152d1b8968297128307
--- newsbeuter-2.9.orig/src/controller.cpp
+++ newsbeuter-2.9/src/controller.cpp
@@ -1274,9 +1274,10 @@ std::string controller::bookmark(const s
std::string bookmark_cmd = cfg.get_configvalue("bookmark-cmd");
bool is_interactive = cfg.get_configvalue_as_bool("bookmark-interactive");
if (bookmark_cmd.length() > 0) {
- std::string cmdline = utils::strprintf("%s '%s' %s %s",
+ std::string cmdline = utils::strprintf("%s '%s' '%s' '%s'",
bookmark_cmd.c_str(), utils::replace_all(url,"'", "%27").c_str(),
- stfl::quote(title).c_str(), stfl::quote(description).c_str());
+ utils::replace_all(title,"'", "%27").c_str(),
+ utils::replace_all(description,"'", "%27").c_str());
LOG(LOG_DEBUG, "controller::bookmark: cmd = %s", cmdline.c_str());
|
