Closed ponypot closed 1 year ago
Fix committed for arbitrary command execution [31b79e3] Close #242
Not planning on doing script permissions. Other users will not have write access to the .winff folder. (Also Lazarus SaveToFile has no option to set permissions anyway)
Hello
While doing some tests with winff, I noticed two issues that could lead to arbitrary command execution while processing files.
The fist one is due to the way filenames are inserted in the temporary shell scripts generated to convert the media. Due to the lack of character escaping, it is possible to insert system command using specially crafted filename such as 'aaa";xcalc;".avi' or "aaa$(xcalc).mp4' :
If a user tries to convert files from untrusted sources without checking their filename, it may lead to the compromising of his workstation.
The second issue is related to the permission of this script. As shown on the following picture, every users can access to them and modify them. Even if those files are only temporary and launched right after generation, it leads to a race-condition case where another user may try to replace the script content before its execution in order to execute its own command with the winff user permission.
Do you this it is possible to patch these issues?
Regard,