diff options
| author | John MacFarlane <jgm@berkeley.edu> | 2023-07-20 09:26:38 -0700 |
|---|---|---|
| committer | John MacFarlane <jgm@berkeley.edu> | 2023-07-20 11:51:28 -0700 |
| commit | eddedbfc14916aa06fc01ff04b38aeb30ae2e625 (patch) | |
| tree | e9e8f62d6df0f071b82854b07355e31592eff48d /test/Tests | |
| parent | db2594aed4320423a13d2e1714279a9a801fb5f3 (diff) | |
Fix new variant of the vulnerability in CVE-2023-35936.
Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete.
An attacker could get around it by double-encoding the malicious
extension to create or override arbitrary files.
$ echo '' >b.md
$ .cabal/bin/pandoc b.md --extract-media=bar
<p><img
src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p>
$ cat b.lua
print "hello"
$ find bar
bar/
bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+
This commit adds a test case for this more complex attack and fixes
the vulnerability. (The fix is quite simple: if the URL-unescaped
filename or extension contains a '%', we just use the sha1 hash of the
contents as the canonical name, just as we do if the filename contains
'..'.)
Diffstat (limited to 'test/Tests')
| -rw-r--r-- | test/Tests/MediaBag.hs | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/test/Tests/MediaBag.hs b/test/Tests/MediaBag.hs index 65b6716d9..4cb4ab807 100644 --- a/test/Tests/MediaBag.hs +++ b/test/Tests/MediaBag.hs @@ -20,7 +20,7 @@ tests = [ let d = B.doc $ B.para (B.image "../../test/lalune.jpg" "" mempty) <> B.para (B.image "moon.jpg" "" mempty) <> - B.para (B.image "data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%2f%2e%2e%2f%2e%2e%2fa%2elua" "" mempty) <> + B.para (B.image "data:image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%2f%2e%2e%2f%2e%2e%2fa%2elua" "" mempty) <> B.para (B.image "data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" "" mempty) runIOorExplode $ do fillMediaBag d @@ -35,4 +35,14 @@ tests = [ (exists3 && not exists4) exists5 <- doesFileExist ("foo" </> "d5fceb6532643d0d84ffe09c40c481ecdf59e15a.gif") assertBool "data uri with gif is not properly decoded" exists5 + -- double-encoded version: + let e = B.doc $ + B.para (B.image "data:image/png;base64,cHJpbnQgInB3bmVkIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua" "" mempty) + runIOorExplode $ do + fillMediaBag e + extractMedia "bar" e + exists6 <- doesFileExist ("bar" </> "772ceca21a2751863ec46cb23db0e7fc35b9cff8.png") + exists7 <- doesFileExist "b.lua" + assertBool "data uri with double-encoded malicious payload gets written outside of destination dir" + (exists6 && not exists7) ] |