Hello,
Regarding the shell escapes, I agree with Ludovic that ultimately it
would be cleaner to use "exec" in place of "system".
However, the "-cmd" switch of jhead is designed to accept an _entire
shell string_ with placeholders:
jhead -cmd "mogrify -quality 80 &i" *.jpg
Considering this design, I think the only option is to use "system"
and appropriate input sanitization to prevent that file names are
interpreted as shell commands.
Currently, DoCommand already places double quotes around the file
names that it replaces the placeholders with:
for (a=0;;a++){
if (ApplyCommand[a] == '&'){
if (ApplyCommand[a+1] == 'i'){
// Input file.
e += sprintf(ExecString+e, "\"%s\"",FileName);
a += 1;
continue;
}
Therefore, If you create a file named 'foo.jpg;date', then "date" is
not executed:
$ ./jhead -cmd "echo &i" foo.jpg\;date
Cmd:echo "foo.jpg;date"
foo.jpg;date
Modified: foo.jpg;date
However, "date" *is* executed when you create a file named
'foo.jpg";date;"' (without the outer quotes):
$ ./jhead -cmd "echo &i" foo.jpg\"\;date\"
Cmd:echo "foo.jpg";date""
foo.jpg
Wed Oct 29 17:42:59 CET 2008
Modified: foo.jpg";date"
This can be avoided if you escape the file name as done by
"addslashes" from PHP: by placing a backslash before double quotes,
other backslashes, NUL, etc. So in pseudo-code:
e += sprintf(ExecString+e, "\"%s\"",
addslashes(FileName));
Nico, do you think this would be sufficient to rule out the
vulnerability?
Best regards,
Bruno De Fraine
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
