From 7b0cce080345e5b7ef26d122f18809c93a19a80e Mon Sep 17 00:00:00 2001 From: Cristy Date: Mon, 16 Nov 2020 18:17:31 +0000 Subject: [PATCH] fix shell injection vulnerability via the -authenticate option --- coders/pdf.c | 15 ++++++--------- magick/string.c | 8 +++++++- 2 files changed, 13 insertions(+), 10 deletions(-) diff --git a/coders/pdf.c b/coders/pdf.c index 63eda5d81..074ba3f64 100644 --- a/coders/pdf.c +++ b/coders/pdf.c @@ -585,17 +585,14 @@ static Image *ReadPDFImage(const ImageInfo *image_info,ExceptionInfo *exception) if (stop_on_error != MagickFalse) (void) ConcatenateMagickString(options,"-dPDFSTOPONERROR ",MaxTextExtent); option=GetImageOption(image_info,"authenticate"); - if (option != (char *) NULL) + if ((option != (char *) NULL) && (strpbrk(option,"&;<>|") == (char *) NULL)) { char - message[MagickPathExtent], - *passphrase; - - passphrase=SanitizeString(option); - (void) FormatLocaleString(message,MagickPathExtent, - "\"-sPDFPassword=%s\" ",passphrase); - passphrase=DestroyString(passphrase); - (void) ConcatenateMagickString(options,message,MagickPathExtent); + passphrase[MagickPathExtent]; + + (void) FormatLocaleString(passphrase,MagickPathExtent, + "\"-sPDFPassword=%s\" ",option); + (void) ConcatenateMagickString(options,passphrase,MagickPathExtent); } read_info=CloneImageInfo(image_info); *read_info->magick='\0'; diff --git a/magick/string.c b/magick/string.c index c8ffa086f..7f6eebc3b 100644 --- a/magick/string.c +++ b/magick/string.c @@ -1604,9 +1604,15 @@ MagickExport char *SanitizeString(const char *source) *p; static char +#if defined(MAGICKCORE_WINDOWS_SUPPORT) whitelist[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " - "$-_.+!*'(),{}|\\^~[]`\"><#%;/?:@&="; + "$-_.+!;*(),{}|^~[]`\'><#%/?:@&="; +#else + whitelist[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789 " + "$-_.+!;*(),{}|\\^~[]`\"><#%/?:@&="; +#endif sanitize_source=AcquireString(source); p=sanitize_source;