CVE-2023-1350: Fix RCE vulnerability on feed enrichment · lwindolf/liferea@8d8b5b9

Permalink

Browse files

Fix RCE vulnerability on feed enrichment

Currently there are a few places in the code that do not check URLs for the presence of a command prefix, allowing malicious websites to run any command in the local system.

Trying to run feed enrichment (i.e. after option “Extract full content from HTML5 and Google AMP” is enabled) in a subscription that produces this item:

<item>
  <title>Check /tmp/bad-item-link.txt</title>
  <link>|date &gt;/tmp/bad-item-link.txt</link>
</item>

will cause Liferea to call update_request_new on URL “|date >/tmp/bad-item-link.txt” and then blindly run the command. A similar effect happens when running the feed enrichment in a item that links to a document like this:

<!DOCTYPE html>
<html>
 <head>
  <title>AMP URL RCE PoC</title>
  <link rel="amphtml" href="|date &gt; /tmp/bad-amp-url.txt">
 </head>
 <body>
     Check the results in /tmp/bad-amp-url.txt
 </body>
</html>

once Liferea tries to load the AMP URL.

There are other calls to update_request_* functions where URLs are validated correctly (e.g. in feed icons and comments) and do not trigger this vulnerability. Since the subscription update is the exception where feed commands are supported (and welcome!) I chose to lock this feature behind a non-persistent flag and only enable it when required. This is safer than adding the flag in updateOptions, which is usually reused in subordinate requests.

This failure exists since commits b828838 and b67dbba from Setember 2017.

• Loading branch information