From eddedbfc14916aa06fc01ff04b38aeb30ae2e625 Mon Sep 17 00:00:00 2001 From: John MacFarlane Date: Thu, 20 Jul 2023 09:26:38 -0700 Subject: Fix new variant of the vulnerability in CVE-2023-35936. Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete. An attacker could get around it by double-encoding the malicious extension to create or override arbitrary files. $ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md $ .cabal/bin/pandoc b.md --extract-media=bar

$ cat b.lua print "hello" $ find bar bar/ bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+ This commit adds a test case for this more complex attack and fixes the vulnerability. (The fix is quite simple: if the URL-unescaped filename or extension contains a '%', we just use the sha1 hash of the contents as the canonical name, just as we do if the filename contains '..'.) --- src/Text/Pandoc/Class/IO.hs | 2 ++ 1 file changed, 2 insertions(+) (limited to 'src/Text/Pandoc/Class/IO.hs') diff --git a/src/Text/Pandoc/Class/IO.hs b/src/Text/Pandoc/Class/IO.hs index 86ed83c89..2ae3b5cee 100644 --- a/src/Text/Pandoc/Class/IO.hs +++ b/src/Text/Pandoc/Class/IO.hs @@ -224,6 +224,8 @@ writeMedia :: (PandocMonad m, MonadIO m) -> m () writeMedia dir (fp, _mt, bs) = do -- we normalize to get proper path separators for the platform + -- we unescape URI encoding, but given how insertMedia + -- is written, we shouldn't have any % in a canonical media name... let fullpath = normalise $ dir unEscapeString fp liftIOError (createDirectoryIfMissing True) (takeDirectory fullpath) report $ Extracting (T.pack fullpath) -- cgit v1.2.3