Shell injection in Imagemagick filter code via specially crafted filenames
Bug #1716268 reported by
James Lu
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Variety |
Fix Released
|
High
|
Unassigned |
Bug Description
Steps to reproduce:
1) Rename any image to the format 'test";"<command name>";".png' (e.g. test";"
2) Apply a filter or enable the clock in Variety settings
3) Poof! The code hidden in the filename runs.
Migrating from os.system (which is dangerous and calls a shell) to subprocess.call is the long-term preferred solution. However, the default clock filter actually depends on nesting a shell command to do its work, so changing this code without config migration will break the current setup. What might be the best way to go from here?
This bug affects Variety 0.6.5 along with the latest trunk.
tags: | removed: shell-injection |
Changed in variety: | |
milestone: | none → 0.6.6 |
Changed in variety: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
Fixed in http:// bazaar. launchpad. net/~variety/ variety/ trunk/revision/ 615. I will make a new release shortly