← Back to team overview

cairo-dock-team team mailing list archive

  1. cairo-dock-team team
  2. Mailing list archive
  3. Message #03575

[Bug 925632] [NEW] cairo-dock uses system() with unfiltered strings, allowing to run any command

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Private security bug reported:

Cairo-dock-core uses system() in many places, inproperly, on not filtered/not escaped strings.
For example cairo-dock-themes-manager.c has zillions of examples of such misuse.

for example:
g_string_printf (sCommand, "rm -rf \"%s/%s\"", g_cThemesDirPath, cThemeName);

if cThemeName is  "\"; whoami; \"", it would execute the 'whoami'
command.

Never assume paths contain only "nice" characters!
Never assume (almost) any string that is not set explicitively to contain only "nice" characters!

This allows to run any command, even malicious, or, if you are lucky,
the shell can produces just a warning about wrong syntax (depending on
what's fed to system().

Consider using a function that does not invoke shell or copy/remove
files without using external commands (when appropriate - system() is
used for many tasks); or use g_shell_quote - it will probably do the
job, too.

I consider the "I can run any command without any control" a security
vulnerability and I am marking it as such. Let alone that unintended
files can be removed or whatever...

Thanks.

** Affects: cairo-dock-core
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Cairo-
Dock Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/925632

Title:
  cairo-dock uses system() with unfiltered strings, allowing to run any
  command

Status in Cairo-Dock : Core:
  New

Bug description:
  Cairo-dock-core uses system() in many places, inproperly, on not filtered/not escaped strings.
  For example cairo-dock-themes-manager.c has zillions of examples of such misuse.

  for example:
  g_string_printf (sCommand, "rm -rf \"%s/%s\"", g_cThemesDirPath, cThemeName);

  if cThemeName is  "\"; whoami; \"", it would execute the 'whoami'
  command.

  Never assume paths contain only "nice" characters!
  Never assume (almost) any string that is not set explicitively to contain only "nice" characters!

  This allows to run any command, even malicious, or, if you are lucky,
  the shell can produces just a warning about wrong syntax (depending on
  what's fed to system().

  Consider using a function that does not invoke shell or copy/remove
  files without using external commands (when appropriate - system() is
  used for many tasks); or use g_shell_quote - it will probably do the
  job, too.

  I consider the "I can run any command without any control" a security
  vulnerability and I am marking it as such. Let alone that unintended
  files can be removed or whatever...

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cairo-dock-core/+bug/925632/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next