Avoid command injection when PDF bulk export is enabled
Bug #1949527 reported by
Robert Lyon
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Robert Lyon | ||
20.10 |
Fix Released
|
High
|
Unassigned | ||
21.04 |
Fix Released
|
High
|
Unassigned | ||
21.10 |
Fix Released
|
High
|
Unassigned | ||
22.04 |
Fix Released
|
High
|
Robert Lyon |
Bug Description
The patch https:/
doesn't avoid a filename with backticks and a simple command like
`shutdown` could still be executed.
I have to say I didn't test it
though but I wanted to give a heads-up. I think exploitation is fairly
limited now but it could still be used as a denial of service.
I would highly recommend using a whitelist instead of trying to remove
all special characters, something like preg_replace(
'-', ...) would make it easier and wouldn't require an exhaustive list
of all potentially malicious characters.
All the best,
Dominic
This is a follow on from Bug 1942903
CVE References
information type: | Private Security → Public Security |
To post a comment you must log in.
https:/ /reviews. mahara. org/#/c/ 12220/