diff options
author | Lasse Collin <lasse.collin@tukaani.org> | 2022-04-04 23:52:49 -0700 |
---|---|---|
committer | Jim Meyering <meyering@fb.com> | 2022-04-06 19:04:12 -0700 |
commit | dc9740df61e575e8c3148b7bd3c147a81ea00c7c (patch) | |
tree | 15717d875d0b30b64d757f61b32a968d25eff96f | |
parent | 4c599fa2d6a5429c92599a51dc2f00bbd00dcb83 (diff) | |
download | gzip-dc9740df61e575e8c3148b7bd3c147a81ea00c7c.tar.gz |
zgrep: avoid exploit via multi-newline file names
* zgrep.in: The issue with the old code is that with multiple
newlines, the N-command will read the second line of input,
then the s-commands will be skipped because it's not the end
of the file yet, then a new sed cycle starts and the pattern
space is printed and emptied. So only the last line or two get
escaped. This patch makes sed read all lines into the pattern
space and then do the escaping.
This vulnerability was discovered by:
cleemy desu wayo working with Trend Micro Zero Day Initiative
-rw-r--r-- | zgrep.in | 10 |
1 files changed, 7 insertions, 3 deletions
@@ -222,9 +222,13 @@ do '* | *'&'* | *'\'* | *'|'*) i=$(printf '%s\n' "$i" | sed ' - $!N - $s/[&\|]/\\&/g - $s/\n/\\n/g + :start + $!{ + N + b start + } + s/[&\|]/\\&/g + s/\n/\\n/g ');; esac sed_script="s|^|$i:|" |