Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#4647 closed patch (fixed)

Make mythbookmarkmanager pass valid command line to myth_system()

Reported by: amb@… Owned by: Isaac Richards
Priority: major Milestone: 0.21
Component: mythbrowser Version: head
Severity: high Keywords:
Cc: Ticket locked: no

Description

The mythbookmarkmanager plugin passes an invalid command line to the myth_system() function. There can be unescaped shell characters passed in which then gets passed straight to the command line. If a URL is something like http :a.site/path?arg1=1&arg2=2&arg3=3 then the '&' character is not protected from the shell.

This patch just fixes the non-security related problems by quoting the '&' and ';' characters. This is not sufficient for a full fix for the problem but it fixes normal usage. A proper fix should go into myth_system() in mythlib/utils.cpp.

Unless proven otherwise failure to escape shell characters should be considered a security problem. Any command can be stored in the bookmark by typing it in so this allows for any shell command to be run as the same user as mythbrowser. This is why it is marked as major priority and high severity - feel free to analyse the security implications and downgrade if necessary.

Attachments (1)

bookmarkmager.cpp.diff (657 bytes) - added by amb@… 12 years ago.
Patch for bookmarkmager.cpp

Download all attachments as: .zip

Change History (4)

Changed 12 years ago by amb@…

Attachment: bookmarkmager.cpp.diff added

Patch for bookmarkmager.cpp

comment:1 Changed 12 years ago by stuartm

Milestone: unknown0.21

comment:2 Changed 12 years ago by Isaac Richards

Resolution: fixed
Status: newclosed

(In [16361]) Escape the commandline for adding the bookmarks. Fixes #4647.

comment:3 Changed 12 years ago by Isaac Richards

(In [16368]) Merge r16361 from trunk:

Escape the commandline for adding the bookmarks. Fixes #4647.

Note: See TracTickets for help on using tickets.