FS#77698 - [tilix] tilix's python-nautilus extension may cause code execution with specially crafted filename
Attached to Project:
Community Packages
Opened by Keyu Tao (taoky) - Thursday, 02 March 2023, 09:05 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:07 GMT
Opened by Keyu Tao (taoky) - Thursday, 02 March 2023, 09:05 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:07 GMT
|
Details
Description:
In /usr/share/nautilus-python/extensions/open-tilix.py, function `open_terminal_in_file()` executes tilix with string concatenating: ```python def open_terminal_in_file(filename): if filename: call('{0} -w "{1}" &'.format(TERMINAL, filename), shell=True) else: call("{0} &".format(TERMINAL), shell=True) ``` However, the parameter "filename" is not properly escaped, thus unexpected things may happen when filename contains `"`. Additional info: * package version(s) - tilix 1.9.5-5 - python-nautilus 4.0-1 - nautilus 43.2-1 * config and/or log files etc. N/A * link to upstream bug report, if any https://github.com/gnunn1/tilix/pull/2114 However, tilix has only very minimal maintenance currently. Steps to reproduce: 1. Create a folder with name: "; touch testfile; " 2. Open nautilus, and right-click on this folder, and then click "Open In Tilix" 3. A file named "testfile" is created in current user's home folder. |
This task depends upon
Closed by Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:07 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/tilix/issues/1
Saturday, 25 November 2023, 20:07 GMT
Reason for closing: Moved
Additional comments about closing: https://gitlab.archlinux.org/archlinux/p ackaging/packages/tilix/issues/1
Hope it helps.
FS#76388. Upstream doesn't seem very responsive.