From unknown Wed Aug 20 00:21:04 2025 X-Loop: help-debbugs@gnu.org Subject: bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability Resent-From: lux Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 24 Dec 2022 09:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 60295 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: 60295@debbugs.gnu.org X-Debbugs-Original-To: bug-gnu-emacs@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.167187261014336 (code B ref -1); Sat, 24 Dec 2022 09:04:01 +0000 Received: (at submit) by debbugs.gnu.org; 24 Dec 2022 09:03:30 +0000 Received: from localhost ([127.0.0.1]:41857 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p90RF-0003jA-Pb for submit@debbugs.gnu.org; Sat, 24 Dec 2022 04:03:30 -0500 Received: from lists.gnu.org ([209.51.188.17]:50770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p90RE-0003j4-Hu for submit@debbugs.gnu.org; Sat, 24 Dec 2022 04:03:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p90RE-0004iJ-6p for bug-gnu-emacs@gnu.org; Sat, 24 Dec 2022 04:03:28 -0500 Received: from out203-205-251-66.mail.qq.com ([203.205.251.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p90RA-0001Xf-RI for bug-gnu-emacs@gnu.org; Sat, 24 Dec 2022 04:03:27 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1671872593; bh=FaiC9M+YOjBVJaFHDoaGlaFlZYOqdZp3h8/Anc/CkI8=; h=Date:From:To:Subject; b=pFn4TDPJh+s0F/Sk++0FRZ4UuYDk55JAvwQgpfsLMYrEeLP8lHYo9EhX9Q2Oh4Wd9 MXicwo0SPwGOpaq7xtR9mI0eMBvUfpBYp9syGYnjdOrJzj0ktf9eQHZXNqqFuq3T8T uhPZPburiWksT5lSIXZWlMmNqUmXK6tBxKQvF+iU= Received: from lx-pc ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrsza2-0.qq.com (NewEsmtp) with SMTP id CC196CE; Sat, 24 Dec 2022 17:03:12 +0800 X-QQ-mid: xmsmtpt1671872592t7kaaadly Message-ID: X-QQ-XMAILINFO: NafziRg7Bx69H6JljVnOydeN1xOuZ0lMnL2pw6v1/QE3zKTuH5vLJtY5Cmnf9d UrfxgD/FD9TLQRJKoxgTdnA0wDBUOrWdTe4pKeSEv0ydTLwshiqataPvXHm4VjNuI0i81YPm9AJp kRM+bhL1SOeuASyJ0MsnT4emVZFCQjS995ClYG5TUkrKzuUo5ro2YY+EUfxUbJltu8qbTeLHQXp1 DF1sRSZ9tvGTbkvqB0ysEF9dKw2mvLD1WCmfxPaWKWup0gAOyqY1NZ0eOe1OW8qFMTUS/GmN76cV 0tvp7u7z/rncHlda3hZGoiXz8SXrgaAhCToggRMCWHA2H1c+YNZl8QN69IcKGb9Sn7CzIEWCdCLc hM/YITe8V7hr5yNeZLJdnFmk8qEVWm3dv7RfgrMXo8OjK25Caw2a2D4KnwxjnJYk9Gm1J/1dvkE7 UiRmMas5seBykmZplH4sE0YlomhJhGacVIyhhweqGYriPyUUMEUcKIwCmWN/fRtTu+7b9IMUzea8 GEIiXbpWrbSQBDl6W+qeNMKhy92Fta7lff4z3yrsqKNM0ZFYmPpOpymSmTFH+yDXjz9omzLNU/DB TjziTD8U0F/VpH4JCgdfN7Oglvqe1sakEJRijDMgGYfNE1eEnCgXpR+sDhHogdz/VYqoKAr4XY2B Itw+Zc26WuG/yy05bgaWEIIdKhBHG3TXtLPFScvabuxjGbhKCKAuM/dbab3Is8J8/kzvNA+E0kl3 eWd1ZEmzn8gR0c+aJyX6Y6OsrsRPOXPbyegfp8hgJT444trcI6SbefAIyiI3ON1X+bO94qEYviwe EsYirWAm8vAEX5Om201uTbj5H5b09fLwdncQVqnJuBEIq1dNCdM3rOc07A5o9hu2TPEGCCDtwVjZ 1O1cEPU1bQ0XG/8LBH6fJ1iUGFWe7NCCRFWwvXWT8BqOBX5JYMNKMQqyfQmoTE7xfpxwzhOmWUYi 2nvD0kz8k= Date: Sat, 24 Dec 2022 17:03:09 +0800 From: lux X-OQ-MSGID: <20221224170309.43f024dc@lx-pc> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.35; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/6/bfUDKMP5qnCmnSrDYfC2S" Received-SPF: none client-ip=203.205.251.66; envelope-from=lx@shellcodes.org; helo=out203-205-251-66.mail.qq.com X-Spam_score_int: 10 X-Spam_score: 1.0 X-Spam_bar: + X-Spam_report: (1.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --MP_/6/bfUDKMP5qnCmnSrDYfC2S Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Test information: Emacs version: GNU Emacs 29.0.60 OS: Fedora Linux 37 htmlfontify.el has a command injection vulnerability: (defcustom hfy-istext-command "file %s | sed -e 's@^[^:]*:[ \t]*@@'" :tag "istext-command" :type '(string)) (defun hfy-text-p (srcdir file) (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) (rsp (shell-command-to-string cmd))) ...)) Parameter 'file' and parameter 'srcdir' come from external input, and parameters are not escape. So, if file name or directory name contains shell characters and will be executed. For example: $ mkdir vul_test $ cd vul_test $ echo hello > ";uname>hack.txt#" $ ls ;uname>hack.txt# In Emacs, type M-x htmlfontify-copy-and-link-dir, and inputing vul_test path, at this time, hack.txt is added to the vul_test directory: $ ls ;uname>hack.txt# hack.txt# $ cat hack.txt\# Linux The attachment is the patch file, thanks. --MP_/6/bfUDKMP5qnCmnSrDYfC2S Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-Fix-htmlfontify.el-command-injection-vulnerability.patch >From b97db7fc0d38595507ca78018724c769e873a469 Mon Sep 17 00:00:00 2001 From: Xi Lu Date: Sat, 24 Dec 2022 16:28:54 +0800 Subject: [PATCH] Fix htmlfontify.el command injection vulnerability. * lisp/htmlfontify.el (hfy-text-p): Fix command injection vulnerability. --- lisp/htmlfontify.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el index df4c6ab079..389b92939c 100644 --- a/lisp/htmlfontify.el +++ b/lisp/htmlfontify.el @@ -1850,7 +1850,7 @@ hfy-make-directory (defun hfy-text-p (srcdir file) "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." - (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) + (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) (rsp (shell-command-to-string cmd))) (string-match "text" rsp))) -- 2.38.1 --MP_/6/bfUDKMP5qnCmnSrDYfC2S-- From unknown Wed Aug 20 00:21:04 2025 X-Loop: help-debbugs@gnu.org Subject: bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability Resent-From: Stefan Kangas Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 26 Dec 2022 19:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 60295 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch To: lux , 60295@debbugs.gnu.org, eliz@gnu.org Received: via spool by 60295-submit@debbugs.gnu.org id=B60295.167208142619717 (code B ref 60295); Mon, 26 Dec 2022 19:04:01 +0000 Received: (at 60295) by debbugs.gnu.org; 26 Dec 2022 19:03:46 +0000 Received: from localhost ([127.0.0.1]:54114 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p9slF-00057s-Tf for submit@debbugs.gnu.org; Mon, 26 Dec 2022 14:03:46 -0500 Received: from mail-oa1-f45.google.com ([209.85.160.45]:44954) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p9slC-00057d-3r for 60295@debbugs.gnu.org; Mon, 26 Dec 2022 14:03:44 -0500 Received: by mail-oa1-f45.google.com with SMTP id 586e51a60fabf-1447c7aa004so13297447fac.11 for <60295@debbugs.gnu.org>; Mon, 26 Dec 2022 11:03:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:mime-version:references:in-reply-to:from :from:to:cc:subject:date:message-id:reply-to; bh=m17XgDUEdL3ANKBg2FCgkXuOCbwRVNY8Gx5rP7oFvRQ=; b=SqR6ejEipN2IsBmvREvQfZQAjFUFM9YG7HLk3In5faG3NK3To56b65NmW9Haplcx33 FHkYzBPbr41K4Yj4wdW/aAJfmHRT/T+0QCF0QEe7eTVc7bd7ufQhtUMoDa1Rh4A7s8hl ZdcMY7E02xnVPDV38eKWY/JTzEDimq/4P72O7U8SvTxCWtK5FzfHqlQX5pz6VWt+riLH rvB0Oaz+lsnBDEc5kd266BpbZeWM03R9QjFmvdQzVIArZId96u2WcT+6ACeZXRJwYnnQ 5OzpjAH8mpikyLIbn7U+irCYcmBP3m912aMHe52GZg2plKLJldFMNfHMhkN4O6ggN+5X C3RQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:mime-version:references:in-reply-to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=m17XgDUEdL3ANKBg2FCgkXuOCbwRVNY8Gx5rP7oFvRQ=; b=b4K/FzwzyTeSxxW2bjORsTUawaHzZkOWVxETOrKd2Vm0DoHiVPHyE3eY9flg9BC+6g 2QTQj3N8i5FmbFn5msFce2HuyESzpgTyupsQs3fGkrtBbVcYoyydZWr8p0ZYzQVk9v6a E+GWZEuBzxz3pScftjD3M9wGqtRfy0G9yIGaj3PuRfbSE6wowsfxggMFiwiY/Rbt+k++ MwyEN+v3XNRq3Rrn35HJ733dnsqP+/hnFT9HpUSJflql4nOdFS9Qf/NP/VAz7ejohir+ bt2iudQzWc3Sxys/Ag1YRveTO6yyRPqMfKpEIRPzI8Eu4VEHMxbr6r+uD3mT04bENJNr 6lRg== X-Gm-Message-State: AFqh2kohmfycucW03m8Wyg0RzUkCSIy8ecr4vc2hCHVwzj4/m1bi2Zto iX/4OLCL6YNehtF/MgYhrOGrKlMEY4tj6kZqiJ4= X-Google-Smtp-Source: AMrXdXtYBC9vGfGScH3gxGv7Fz59f1aXhfDirHPdcyxIOKgHk9YaSspyBJ/5PUd6wKYmdgSEZ6m5eLQfTFmpYLF8P4M= X-Received: by 2002:a05:6870:9f86:b0:14c:667e:4620 with SMTP id xm6-20020a0568709f8600b0014c667e4620mr864405oab.92.1672081416197; Mon, 26 Dec 2022 11:03:36 -0800 (PST) Received: from 753933720722 named unknown by gmailapi.google.com with HTTPREST; Mon, 26 Dec 2022 19:03:35 +0000 From: Stefan Kangas In-Reply-To: References: X-Hashcash: 1:20:221226:eliz@gnu.org::lmo18Yp+WHmjYLxt:0hMj MIME-Version: 1.0 Date: Mon, 26 Dec 2022 19:03:35 +0000 Message-ID: Content-Type: text/plain; charset="UTF-8" X-Spam-Score: 0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) tags 60295 + security thanks lux writes: > From b97db7fc0d38595507ca78018724c769e873a469 Mon Sep 17 00:00:00 2001 > From: Xi Lu > Date: Sat, 24 Dec 2022 16:28:54 +0800 > Subject: [PATCH] Fix htmlfontify.el command injection vulnerability. > > * lisp/htmlfontify.el > (hfy-text-p): Fix command injection vulnerability. > --- > lisp/htmlfontify.el | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el > index df4c6ab079..389b92939c 100644 > --- a/lisp/htmlfontify.el > +++ b/lisp/htmlfontify.el > @@ -1850,7 +1850,7 @@ hfy-make-directory > > (defun hfy-text-p (srcdir file) > "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." > - (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) > + (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) > (rsp (shell-command-to-string cmd))) > (string-match "text" rsp))) Eli, is it okay to install this patch on the Emacs 29 branch? It looks safe, as it only adds shell quoting to a filename before it is fed to `shell-command-to-string'. But on master maybe we could avoid calling the shell altogether by using something like this: (defun file-binary-p (filename) "Return t if FILENAME names a binary file. Return nil if FILENAME does not name a binary file, or if there was trouble determining whether FILENAME is a binary file." (when (and (file-readable-p filename) (not (file-directory-p filename))) (catch 'binaryp (with-current-buffer (find-file-noselect filename t) (unwind-protect (throw 'binaryp (eq buffer-file-coding-system 'binary)) (kill-buffer)))))) From unknown Wed Aug 20 00:21:04 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: lux Subject: bug#60295: closed (Re: bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability) Message-ID: References: <83k02d0wdy.fsf@gnu.org> X-Gnu-PR-Message: they-closed 60295 X-Gnu-PR-Package: emacs X-Gnu-PR-Keywords: patch security Reply-To: 60295@debbugs.gnu.org Date: Tue, 27 Dec 2022 14:12:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1672150322-32193-1" This is a multi-part message in MIME format... ------------=_1672150322-32193-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #60295: [PATCH] Fix htmlfontify.el command injection vulnerability which was filed against the emacs package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 60295@debbugs.gnu.org. --=20 60295: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D60295 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1672150322-32193-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 60295-done) by debbugs.gnu.org; 27 Dec 2022 14:11:27 +0000 Received: from localhost ([127.0.0.1]:54929 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pAAfu-0008MS-Ue for submit@debbugs.gnu.org; Tue, 27 Dec 2022 09:11:27 -0500 Received: from eggs.gnu.org ([209.51.188.92]:53272) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1pAAft-0008MG-Fy for 60295-done@debbugs.gnu.org; Tue, 27 Dec 2022 09:11:25 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pAAfi-00046X-VO; Tue, 27 Dec 2022 09:11:19 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=8tpHCuZIhaoIUB5y3oZ/RESnq9CGxRZghjcfiKA6C88=; b=GxNKwraBzBpp i14FqvvaUV3rfMMqDGLaXJ/j+299TUncsN4Cx5vZT4X5C1J9U66OMt5hdTynt/2wcm1gsew4PamLE PFQGwqWO/LLULU5yPrRNnPk3R8Qm1scH1Lsft2qzgvsBGkA6KxaKsvDPvzEGaJNDT3OmNNIS3CPc5 dXPc7jjvMoS4+Y1CZ0GYUbSoAVulf9UAvAdViNsawoz4bdFlyEdFFJXuvyLDJQvXSug22fKu7OZcy PYX2+NtcBkAnKmLokq8eZ2puSsjgyImiUNSNUz0VGSa+dSJ8658B5dhCuDO4gBD31C6vk5+eb90dt cHrloQKtvP5P4RZmFjhGNw==; Received: from [87.69.77.57] (helo=home-c4e4a596f7) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pAAfi-0007Iu-Cs; Tue, 27 Dec 2022 09:11:14 -0500 Date: Tue, 27 Dec 2022 16:11:21 +0200 Message-Id: <83k02d0wdy.fsf@gnu.org> From: Eli Zaretskii To: lux In-Reply-To: (message from lux on Sat, 24 Dec 2022 17:03:09 +0800) Subject: Re: bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability References: X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 60295-done Cc: 60295-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) > Date: Sat, 24 Dec 2022 17:03:09 +0800 > From: lux > > Test information: > Emacs version: GNU Emacs 29.0.60 > OS: Fedora Linux 37 > > htmlfontify.el has a command injection vulnerability: > > (defcustom hfy-istext-command "file %s | sed -e 's@^[^:]*:[ \t]*@@'" > :tag "istext-command" > :type '(string)) > > (defun hfy-text-p (srcdir file) > (let* ((cmd (format hfy-istext-command (expand-file-name file > srcdir))) (rsp (shell-command-to-string cmd))) > ...)) > > Parameter 'file' and parameter 'srcdir' come from external input, and > parameters are not escape. So, if file name or directory name contains > shell characters and will be executed. > > For example: > > $ mkdir vul_test > $ cd vul_test > $ echo hello > ";uname>hack.txt#" > $ ls > ;uname>hack.txt# > > In Emacs, type M-x htmlfontify-copy-and-link-dir, and inputing vul_test > path, at this time, hack.txt is added to the vul_test directory: > > $ ls > ;uname>hack.txt# hack.txt# > $ cat hack.txt\# > Linux > > The attachment is the patch file, thanks. Thanks, installed on the emacs-29 branch, and closing the bug. ------------=_1672150322-32193-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 24 Dec 2022 09:03:30 +0000 Received: from localhost ([127.0.0.1]:41857 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p90RF-0003jA-Pb for submit@debbugs.gnu.org; Sat, 24 Dec 2022 04:03:30 -0500 Received: from lists.gnu.org ([209.51.188.17]:50770) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1p90RE-0003j4-Hu for submit@debbugs.gnu.org; Sat, 24 Dec 2022 04:03:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p90RE-0004iJ-6p for bug-gnu-emacs@gnu.org; Sat, 24 Dec 2022 04:03:28 -0500 Received: from out203-205-251-66.mail.qq.com ([203.205.251.66]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1p90RA-0001Xf-RI for bug-gnu-emacs@gnu.org; Sat, 24 Dec 2022 04:03:27 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1671872593; bh=FaiC9M+YOjBVJaFHDoaGlaFlZYOqdZp3h8/Anc/CkI8=; h=Date:From:To:Subject; b=pFn4TDPJh+s0F/Sk++0FRZ4UuYDk55JAvwQgpfsLMYrEeLP8lHYo9EhX9Q2Oh4Wd9 MXicwo0SPwGOpaq7xtR9mI0eMBvUfpBYp9syGYnjdOrJzj0ktf9eQHZXNqqFuq3T8T uhPZPburiWksT5lSIXZWlMmNqUmXK6tBxKQvF+iU= Received: from lx-pc ([240e:399:e6f:ee32:f815:4044:ba50:97f9]) by newxmesmtplogicsvrsza2-0.qq.com (NewEsmtp) with SMTP id CC196CE; Sat, 24 Dec 2022 17:03:12 +0800 X-QQ-mid: xmsmtpt1671872592t7kaaadly Message-ID: X-QQ-XMAILINFO: NafziRg7Bx69H6JljVnOydeN1xOuZ0lMnL2pw6v1/QE3zKTuH5vLJtY5Cmnf9d UrfxgD/FD9TLQRJKoxgTdnA0wDBUOrWdTe4pKeSEv0ydTLwshiqataPvXHm4VjNuI0i81YPm9AJp kRM+bhL1SOeuASyJ0MsnT4emVZFCQjS995ClYG5TUkrKzuUo5ro2YY+EUfxUbJltu8qbTeLHQXp1 DF1sRSZ9tvGTbkvqB0ysEF9dKw2mvLD1WCmfxPaWKWup0gAOyqY1NZ0eOe1OW8qFMTUS/GmN76cV 0tvp7u7z/rncHlda3hZGoiXz8SXrgaAhCToggRMCWHA2H1c+YNZl8QN69IcKGb9Sn7CzIEWCdCLc hM/YITe8V7hr5yNeZLJdnFmk8qEVWm3dv7RfgrMXo8OjK25Caw2a2D4KnwxjnJYk9Gm1J/1dvkE7 UiRmMas5seBykmZplH4sE0YlomhJhGacVIyhhweqGYriPyUUMEUcKIwCmWN/fRtTu+7b9IMUzea8 GEIiXbpWrbSQBDl6W+qeNMKhy92Fta7lff4z3yrsqKNM0ZFYmPpOpymSmTFH+yDXjz9omzLNU/DB TjziTD8U0F/VpH4JCgdfN7Oglvqe1sakEJRijDMgGYfNE1eEnCgXpR+sDhHogdz/VYqoKAr4XY2B Itw+Zc26WuG/yy05bgaWEIIdKhBHG3TXtLPFScvabuxjGbhKCKAuM/dbab3Is8J8/kzvNA+E0kl3 eWd1ZEmzn8gR0c+aJyX6Y6OsrsRPOXPbyegfp8hgJT444trcI6SbefAIyiI3ON1X+bO94qEYviwe EsYirWAm8vAEX5Om201uTbj5H5b09fLwdncQVqnJuBEIq1dNCdM3rOc07A5o9hu2TPEGCCDtwVjZ 1O1cEPU1bQ0XG/8LBH6fJ1iUGFWe7NCCRFWwvXWT8BqOBX5JYMNKMQqyfQmoTE7xfpxwzhOmWUYi 2nvD0kz8k= Date: Sat, 24 Dec 2022 17:03:09 +0800 From: lux To: bug-gnu-emacs@gnu.org Subject: [PATCH] Fix htmlfontify.el command injection vulnerability X-OQ-MSGID: <20221224170309.43f024dc@lx-pc> X-Mailer: Claws Mail 4.1.1 (GTK 3.24.35; x86_64-redhat-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MP_/6/bfUDKMP5qnCmnSrDYfC2S" Received-SPF: none client-ip=203.205.251.66; envelope-from=lx@shellcodes.org; helo=out203-205-251-66.mail.qq.com X-Spam_score_int: 10 X-Spam_score: 1.0 X-Spam_bar: + X-Spam_report: (1.0 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HELO_DYNAMIC_IPADDR=1.951, RCVD_IN_DNSWL_NONE=-0.0001, RDNS_DYNAMIC=0.982, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) --MP_/6/bfUDKMP5qnCmnSrDYfC2S Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline Test information: Emacs version: GNU Emacs 29.0.60 OS: Fedora Linux 37 htmlfontify.el has a command injection vulnerability: (defcustom hfy-istext-command "file %s | sed -e 's@^[^:]*:[ \t]*@@'" :tag "istext-command" :type '(string)) (defun hfy-text-p (srcdir file) (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) (rsp (shell-command-to-string cmd))) ...)) Parameter 'file' and parameter 'srcdir' come from external input, and parameters are not escape. So, if file name or directory name contains shell characters and will be executed. For example: $ mkdir vul_test $ cd vul_test $ echo hello > ";uname>hack.txt#" $ ls ;uname>hack.txt# In Emacs, type M-x htmlfontify-copy-and-link-dir, and inputing vul_test path, at this time, hack.txt is added to the vul_test directory: $ ls ;uname>hack.txt# hack.txt# $ cat hack.txt\# Linux The attachment is the patch file, thanks. --MP_/6/bfUDKMP5qnCmnSrDYfC2S Content-Type: text/x-patch Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=0001-Fix-htmlfontify.el-command-injection-vulnerability.patch >From b97db7fc0d38595507ca78018724c769e873a469 Mon Sep 17 00:00:00 2001 From: Xi Lu Date: Sat, 24 Dec 2022 16:28:54 +0800 Subject: [PATCH] Fix htmlfontify.el command injection vulnerability. * lisp/htmlfontify.el (hfy-text-p): Fix command injection vulnerability. --- lisp/htmlfontify.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el index df4c6ab079..389b92939c 100644 --- a/lisp/htmlfontify.el +++ b/lisp/htmlfontify.el @@ -1850,7 +1850,7 @@ hfy-make-directory (defun hfy-text-p (srcdir file) "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." - (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) + (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) (rsp (shell-command-to-string cmd))) (string-match "text" rsp))) -- 2.38.1 --MP_/6/bfUDKMP5qnCmnSrDYfC2S-- ------------=_1672150322-32193-1--