Fix Shell Injection in FontManager._get_nix_font_path

#501 Merged at c0c0d40
Repository
Javantea
Branch
default
Repository
birkenfeld
Branch
default
Author
  1. Javantea
Reviewers
Description

Product: Pygments
Version: 1.2.2-2.0.2 497:fe62167596bb to 3693:655dbebddc23 Tue Nov 06 17:30:45 2007 +0000 to Sept 28, 2015.
Website: http://pygments.org/
Bitbucket: https://bitbucket.org/birkenfeld/pygments-main
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Discovery: Aug 21, 2015

An unsafe use of string concatenation in a shell string occurs in FontManager. If the developer allows the attacker to choose the font and outputs an image, the attacker can execute any shell command on the remote system. The name variable injected comes from the constructor of FontManager, which is invoked by ImageFormatter from options.

pygments/formatters/img.py:82

def _get_nix_font_path(self, name, style):
    try:
        from commands import getstatusoutput
    except ImportError:
        from subprocess import getstatusoutput
    exit, out = getstatusoutput('fc-list "%s:style=%s" file' %
                                (name, style))
    if not exit:
        lines = out.splitlines()
        if lines:
            path = lines[0].strip().strip(':')
            return path

Recommendation

shlex.quote should be used to ensure that an attacker cannot inject commands. https://docs.python.org/3/library/shlex.html#shlex.quote

Comments (2)

  1. Tim Hatch

    Thanks for the report. I would rather avoid the shell entirely by switching to Popen; would you like to be listed in the AUTHORS, and if so, how? Also, are you aware of a user of Pygments that exposes these parameters remotely? (you've listed AV:N)

  2. Javantea author

    Many thanks for merging and improving. Feel free to add me to AUTHORS as Javantea. I have not looked for any users of Pygments who use the img formatter. The existence of the img formatter in a library commonly used for web apps seems to be enough of a reason to warrant AV:N even if none of the popular users (Github, Bitbucket, etc) use this feature. In fact, users who don't use this feature probably leave out this file just so that they don't have to audit it during a code audit.