I have found a shell injection vulnerability in contrib/gitview/gitview.
Gitview Shell Injection Vulnerability
Versions affected: 8cb711c8a5-1d1bdafd64 (<=2.11.0)
Gitview executes shell commands using string concatenation with user supplied
data, filenames and branch names. Running Gitview and interacting with the user
interface with a malicious filename or branch name in the current repository
results in malicious commands being executed as the current user.
AnnotateWindow.add_file_data(self, filename, commit_sha1, line_num):
fp = os.popen("git cat-file blob " + commit_sha1 +":"+filename)
AnnotateWindow.annotate(self, filename, commit_sha1, line_num):
fp = os.popen("git ls-tree "+ commit_sha1 + " -- " + filename)
fp = os.popen("git blame --incremental -C -C -- " + filename + " " +
commit_sha1)
GitView.set_branch(self, args):
fp = os.popen("git rev-parse --sq --default HEAD " + list_to_string(args,
1))
fp = os.popen("git rev-list --header --topo-order --parents " +
git_rev_list_cmd)
The program also has other uses of os.popen but none use values that the user
can manipulate. However, the fix should definitely replace these instances so
that the code might one day pass pylint and manual code review easier.
The function os.popen has been replaced by safer functions in the subprocess
module. The code can be improved easily because it requires very little change
to convert the code to work with arrays of strings instead of strings.
If you have any questions or would like a patch, please let me know.
Regards,
Javantea
