mahara-contributors team mailing list archive

Thread
Date

[Bug 1949527] Re: Avoid command injection when PDF bulk export is enabled

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Robert Lyon <1949527@xxxxxxxxxxxxxxxxxx>
Date: Wed, 09 Feb 2022 04:18:32 -0000
Reply-to: Bug 1949527 <1949527@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1949527

Title:
  Avoid command injection when PDF bulk export is enabled

Status in Mahara:
  Fix Committed
Status in Mahara 20.10 series:
  Fix Released
Status in Mahara 21.04 series:
  Fix Released
Status in Mahara 21.10 series:
  Fix Released
Status in Mahara 22.04 series:
  Fix Committed

Bug description:
  The patch https://git.mahara.org/mahara/mahara/-/commit/6c15801d04887e482b1f490d8acf6f7c52661eea 
  doesn't avoid a filename with backticks and a simple command like 
  `shutdown` could still be executed.

  I have to say I didn't test it 
  though but I wanted to give a heads-up. I think exploitation is fairly 
  limited now but it could still be used as a denial of service.

  I would highly recommend using a whitelist instead of trying to remove 
  all special characters, something like preg_replace('/[^a-zA-Z0-9_]/', 
  '-', ...) would make it easier and wouldn't require an exhaustive list 
  of all potentially malicious characters.

  All the best,
  Dominic

  
  This is a follow on from Bug 1942903

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1949527/+subscriptions