Correctly quote and escape command line argument passed to "sh -c" (#787203)
Shell fragments must be properly quoted and escaped to prevent execution of unintended commands derived from user controllable data. For example: $ printf '#!/bin/sh\necho test > out\n' > script.sh $ chmod +x script.sh $ truncate -s 20M 'jfs;script.sh' $ mkfs.jfs -q 'jfs;script.sh' $ ls -l out ls: cannot access out: No such file or directory $ sudo PATH=$PWD:$PATH /usr/local/bin/gparted 'jfs;script.sh' $ sudo PATH=$PWD:$PATH /usr/local/bin/gparted 'jfs;script.sh' $ ls -l out -rw-r--r-- 1 root root 5 Sep 12 23:11 out $ cat out test What is happening is that jfs::set_used_sectors() is using the device name 'jfs;script.sh' without quoting it and passing it to the shell to execute like this: sh -c 'echo dm | jfs_debugfs jfs;script.sh' which the shell duly executes as these two commands: echo dm | jfs_debugfs jfs script.sh This could be a security related issue as "sh -c" is able to execute arbitrary shell commands from the argument if if contains shell special characters. Use Glib::shell_quote() [1] to quote and escape file names and whole commands passed to the shell. [1] Glib::shell_quote(const std::string & unquoted_string) https://developer.gnome.org/glibmm/stable/group__ShellUtils.html "Quotes a string so that the shell (/bin/sh) will interpret the quoted string to mean unquoted_string. If you pass a filename to the shell, for example, you should first quote it with this function." Bug 787203 - Correctly quote and escape arguments of external programs passed to execute_command()
parent
e8f0504b
Please register or sign in to comment