Blob Blame History Raw
From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001
From: Lasse Collin <lasse.collin@tukaani.org>
Date: Mon, 4 Apr 2022 23:52:49 -0700
Subject: zgrep: avoid exploit via multi-newline file names

* zgrep.in: The issue with the old code is that with multiple
newlines, the N-command will read the second line of input,
then the s-commands will be skipped because it's not the end
of the file yet, then a new sed cycle starts and the pattern
space is printed and emptied. So only the last line or two get
escaped. This patch makes sed read all lines into the pattern
space and then do the escaping.

This vulnerability was discovered by:
cleemy desu wayo working with Trend Micro Zero Day Initiative
---
 zgrep.in | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/zgrep.in b/zgrep.in
index 345dae3..bdf7da2 100644
--- a/zgrep.in
+++ b/zgrep.in
@@ -222,9 +222,13 @@ do
 '* | *'&'* | *'\'* | *'|'*)
         i=$(printf '%s\n' "$i" |
             sed '
-              $!N
-              $s/[&\|]/\\&/g
-              $s/\n/\\n/g
+              :start
+              $!{
+                N
+                b start
+              }
+              s/[&\|]/\\&/g
+              s/\n/\\n/g
             ');;
       esac
       sed_script="s|^|$i:|"
-- 
cgit v1.1