44 lines
1.3 KiB
Diff
44 lines
1.3 KiB
Diff
From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
|
|
From: Lasse Collin <lasse.collin@tukaani.org>
|
|
Date: Mon, 4 Apr 2022 23:52:49 -0700
|
|
Subject: zgrep: avoid exploit via multi-newline file names
|
|
|
|
* zgrep.in: The issue with the old code is that with multiple
|
|
newlines, the N-command will read the second line of input,
|
|
then the s-commands will be skipped because it's not the end
|
|
of the file yet, then a new sed cycle starts and the pattern
|
|
space is printed and emptied. So only the last line or two get
|
|
escaped. This patch makes sed read all lines into the pattern
|
|
space and then do the escaping.
|
|
|
|
This vulnerability was discovered by:
|
|
cleemy desu wayo working with Trend Micro Zero Day Initiative
|
|
---
|
|
zgrep.in | 10 +++++++---
|
|
1 file changed, 7 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/zgrep.in b/zgrep.in
|
|
index 345dae3..bdf7da2 100644
|
|
--- a/zgrep.in
|
|
+++ b/zgrep.in
|
|
@@ -222,9 +222,13 @@ do
|
|
'* | *'&'* | *'\'* | *'|'*)
|
|
i=$(printf '%s\n' "$i" |
|
|
sed '
|
|
- $!N
|
|
- $s/[&\|]/\\&/g
|
|
- $s/\n/\\n/g
|
|
+ :start
|
|
+ $!{
|
|
+ N
|
|
+ b start
|
|
+ }
|
|
+ s/[&\|]/\\&/g
|
|
+ s/\n/\\n/g
|
|
');;
|
|
esac
|
|
sed_script="s|^|$i:|"
|
|
--
|
|
cgit v1.1
|
|
|