[Python-apps-team] Bug#731582: canto: command line injection in urls inside feeds
Vincent Legout
vincent at legout.info
Sun Dec 8 13:21:14 UTC 2013
Hi,
the_walrus_88 at manlymail.net writes:
> I have just found a command line injection security vuln in
> canto. The program fetches feeds from configured sites, and the
> feeds contain URLs that people may want to visit. If a user
> starts canto and chooses to go to one URL from one feed, canto
> constructs a sh command line to visit the URL, but it doesn't
> remove metachars. Therefore a malicious feed (owner turned bad,
> man in the middle attack if fetched with http) can put in bad
> data in all link and guid elements of the feed and use this to
> hack the user when they visit some of the URLs. Not good. See my
> conf.py and evil.rss files for an example. Sorry for my English!
Thanks for the report, I confirm that using evil.rss creates a /tmp/1337
file when trying to launch the url in a browser. It doesn't seem to be
fixed upstream.
Thanks,
Vincent
More information about the Python-apps-team
mailing list