commit 942531cdadfb3fec0fc3bc9b88db801b6c312e3b
parent 85fdddfa423c7f990e80a9876b1325dd30514af6
Author: Gaute Hope <eg@gaute.vetsj.com>
Date: Mon, 28 Oct 2013 22:42:50 +0100
security: prevent remote command injection in content_type
Diffstat:
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/lib/sup/message_chunks.rb b/lib/sup/message_chunks.rb
@@ -113,6 +113,11 @@ EOS
def initialize content_type, filename, encoded_content, sibling_types
@content_type = content_type.downcase
+ if Shellwords.escape(@content_type) != @content_type
+ warn "content_type #{@content_type} is not safe, changed to application/octet-stream"
+ @content_type = 'application/octet-stream'
+ end
+
@filename = filename
@quotable = false # changed to true if we can parse it through the
# mime-decode hook, or if it's plain text
@@ -129,7 +134,7 @@ EOS
else
## please see note in write_to_disk on important usage
## of quotes to avoid remote command injection.
- HookManager.run "mime-decode", :content_type => content_type,
+ HookManager.run "mime-decode", :content_type => @content_type,
:filename => lambda { write_to_disk },
:charset => encoded_content.charset,
:sibling_types => sibling_types
@@ -195,7 +200,7 @@ EOS
## note that the path returned from write_to_disk is
## Shellwords.escaped and is intended to be used without single
## or double quotes. the use of either opens sup up for remote
- ## code injection in the file name.
+ ## code injection through the file name.
def write_to_disk
begin
file = Tempfile.new(["sup", Shellwords.escape(@filename.gsub("/", "_")) || "sup-attachment"])