Ah, now I remember. That's why I didn't change it, especially because the
rest of jhead just layers on top of the "jhead -cmd" functionality.
Matthias
----- Original Message -----
From: "Bruno De Fraine" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Wednesday, October 29, 2008 11:56 AM
Subject: Re: jhead: CVE-2008-4640, CVE-2008-4641 command injection via
filename and insecure file handling
Hello,
Regarding the shell escapes, I agree with Ludovic that ultimately it
would be cleaner to use "exec" in place of "system".
However, the "-cmd" switch of jhead is designed to accept an _entire
shell string_ with placeholders:
jhead -cmd "mogrify -quality 80 &i" *.jpg
Considering this design, I think the only option is to use "system" and
appropriate input sanitization to prevent that file names are interpreted
as shell commands.
Currently, DoCommand already places double quotes around the file names
that it replaces the placeholders with:
for (a=0;;a++){
if (ApplyCommand[a] == '&'){
if (ApplyCommand[a+1] == 'i'){
// Input file.
e += sprintf(ExecString+e, "\"%s\"",FileName);
a += 1;
continue;
}
Therefore, If you create a file named 'foo.jpg;date', then "date" is not
executed:
$ ./jhead -cmd "echo &i" foo.jpg\;date
Cmd:echo "foo.jpg;date"
foo.jpg;date
Modified: foo.jpg;date
However, "date" *is* executed when you create a file named
'foo.jpg";date;"' (without the outer quotes):
$ ./jhead -cmd "echo &i" foo.jpg\"\;date\"
Cmd:echo "foo.jpg";date""
foo.jpg
Wed Oct 29 17:42:59 CET 2008
Modified: foo.jpg";date"
This can be avoided if you escape the file name as done by "addslashes"
from PHP: by placing a backslash before double quotes, other backslashes,
NUL, etc. So in pseudo-code:
e += sprintf(ExecString+e, "\"%s\"",
addslashes(FileName));
Nico, do you think this would be sufficient to rule out the
vulnerability?
Best regards,
Bruno De Fraine
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
