Skip to content

Security fixes for shellescaping #2

New issue
New issue
Open
Open
Security fixes for shellescaping#2
@arturxedex128

Description

@arturxedex128
arturxedex128
opened on Jun 1, 2022

There is no shellescaping in the plugin ... text elements could execute any command by enableing Images:

example:
<<img path="s';xeyes" height=5>>

patch is:

diff --git a/plugin/imager.vim b/plugin/imager.vim
index d4cdb0b..f92366f 100644
--- a/plugin/imager.vim
+++ b/plugin/imager.vim
@@ -334,14 +334,14 @@ function! s:GetWindowImages() " {{{1
                                else
                                        let snippet_string = formula
                                endif
-                               let hash = split(system(printf('echo -n "%s" | md5sum', snippet_string)), ' ')[0]
+                               let hash = split(system(printf('echo -n "%s" | md5sum', shellescape(snippet_string))), ' ')[0]

                                " Figure out what would be the directory and image paths
                                let dir_path = '/tmp/latex_images'
                                let image_path = dir_path . '/' . hash . '.png'

                                " Create the latex image if it doesn't already exist
-                               if !system('[ -e ' . "'" . image_path . "'" . ' ] && echo 1')
+                               if !system('[ -e ' . "'" . shellescape(image_path) . "'" . ' ] && echo 1')
                                        " If the foreground or background colors are a hex value, add HTML:
                                        " before them to make the hex code valid
                                        let foreground = g:imager#latex_foreground
@@ -363,8 +363,8 @@ function! s:GetWindowImages() " {{{1
                                        endif

                                        " Convert the latex expression into an image
-                                       silent! execute printf("!tex2im %s-b %s -t %s '%s'", preamble, background, foreground, formula)
-                                       silent! execute printf("!mv '%s/out.png' '%s'", getcwd(), image_path)
+                                       silent! execute printf("!tex2im %s-b %s -t %s '%s'", shellescape(preamble), background, foreground, shellescape(formula))
+                                       silent! execute printf("!mv '%s/out.png' '%s'", shellescape(getcwd()), shellescape(image_path))
                                endif
                                let new_image.path = image_path
                        endif
@@ -401,7 +401,7 @@ function! s:ShowImage(path, x, y, height) " {{{
        " Format the command to execute
        let g:imager#max_id += 1

-       let command = printf("bash %s '%s' %s %s %s", g:imager#ueberzug_path, a:path, a:x, a:y, a:height)
+       let command = printf("bash %s '%s' %s %s %s", g:imager#ueberzug_path, shellescape(a:path), shellescape(a:x), shellescape(a:y), shellescape(a:height))

        " Run the command in a terminal in a new tab, then close it
        new

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions