Headline
CVE-2021-4277: randomize uploaded file name to stop URL prediction attack · fredsmith/utils@dbab1b6
A vulnerability, which was classified as problematic, has been found in fredsmith utils. This issue affects some unknown processing of the file screenshot_sync of the component Filename Handler. The manipulation leads to predictable from observable state. The name of the patch is dbab1b66955eeb3d76b34612b358307f5c4e3944. It is recommended to apply a patch to fix this issue. The identifier VDB-216749 was assigned to this vulnerability.
@@ -1,7 +1,9 @@ #! /usr/bin/env bash set -x source /usr/local/Caskroom/google-cloud-sdk/latest/google-cloud-sdk/path.bash.inc
function send_notify { osascript -e “display notification \"$@\"” } cd ~/Pictures/Screenshots/
if `which scutil > /dev/null`; then @@ -12,9 +14,15 @@ fi
for FILE in Screen\ Shot*.png; do if [[ -f $FILE ]]; then NEWFILENAME=$(echo $FILE | sed -e “s/Screen Shot/$SYSTEMNAME/” -e ‘s/at//’ -e ‘s/ /-/g’ -e ‘s/–/-/g’); randstring=$(cat /dev/urandom | tr -dc ‘a-zA-Z0-9’ | fold -w 8 | head -n 1)
NEWFILENAME=$(echo $FILE | sed -e “s/Screen Shot/$SYSTEMNAME/” -e ‘s/at//’ -e ‘s/ /-/g’ -e ‘s/–/-/g’ -e “s/\.png/-$randstring\.png/”); mv “$FILE” $NEWFILENAME gsutil cp $NEWFILENAME gs://files.derf.us/ echo “https://files.derf.us/$NEWFILENAME” | pbcopy if gsutil cp $NEWFILENAME gs://files.derf.us/; then echo “https://files.derf.us/$NEWFILENAME” | pbcopy send_notify “https://files.derf.us/$NEWFILENAME” else send_notify “upload failed” fi fi done