From dc9740df61e575e8c3148b7bd3c147a81ea00c7c Mon Sep 17 00:00:00 2001 From: Lasse Collin Date: Mon, 4 Apr 2022 23:52:49 -0700 Subject: zgrep: avoid exploit via multi-newline file names * zgrep.in: The issue with the old code is that with multiple newlines, the N-command will read the second line of input, then the s-commands will be skipped because it's not the end of the file yet, then a new sed cycle starts and the pattern space is printed and emptied. So only the last line or two get escaped. This patch makes sed read all lines into the pattern space and then do the escaping. This vulnerability was discovered by: cleemy desu wayo working with Trend Micro Zero Day Initiative --- zgrep.in | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/zgrep.in b/zgrep.in index 345dae3..bdf7da2 100644 --- a/zgrep.in +++ b/zgrep.in @@ -222,9 +222,13 @@ do '* | *'&'* | *'\'* | *'|'*) i=$(printf '%s\n' "$i" | sed ' - $!N - $s/[&\|]/\\&/g - $s/\n/\\n/g + :start + $!{ + N + b start + } + s/[&\|]/\\&/g + s/\n/\\n/g ');; esac sed_script="s|^|$i:|" -- cgit v1.1