Headline
CVE-2022-36082: Fix improper validation in `file:<location>` syntax · mansuf/mangadex-downloader@439cc28
mangadex-downloader is a command-line tool to download manga from MangaDex. When using file:<location> command and <location> is a web URL location (http, https), mangadex-downloader between versions 1.3.0 and 1.7.2 will try to open and read a file in local disk for each line of website contents. Version 1.7.2 contains a patch for this issue.
@@ -31,15 +31,16 @@ def _validate(url): raise argparse.ArgumentTypeError(str(e)) return _url
def validate_url(url): if os.path.exists(url): with open(url, ‘r’) as opener: content = opener.read() else: content = url def _try_read(path): if not os.path.exists(path): return None
with open(path, ‘r’) as o: return o.read()
def validate_url(url): urls = [] for _url in content.splitlines(): for _url in url.splitlines(): if not _url: continue
@@ -245,7 +246,8 @@ def validate(parser, args): elif not os.path.exists(file_path): parser.error(f"File \"{file_path}\" is not exist") else: file_path = urls file_content = _try_read(urls) file_path = file_content if file_content is not None else urls try: args.URL = validate_url(file_path) except argparse.ArgumentTypeError as e:
Related news
### Impact When using `file:<location>` command and `<location>` is web URL location (http, https). mangadex-downloader will try to open and read a file in local disk for each line of website content. So far, the app only read the files and not execute it. But still, when someone reading your files without you knowing, it's very scary. ### Workarounds Unfortunately, there is no workarounds to make it safe from this issue. But i suggest you double check the url before proceed to download or update to latest version ( >= 1.7.2) ### Patches Fixed in version 1.7.2 ### Reference - https://github.com/mansuf/mangadex-downloader/blob/v1.7.1/mangadex_downloader/cli/validator.py - Commit patch: https://github.com/mansuf/mangadex-downloader/commit/439cc2825198ebc12b3310c95c39a8c7710c9b42