Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15-SP4:Update
stellarium
CVE-2023-28371-2.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-28371-2.patch of Package stellarium
From 787a894897b7872ae96e6f5804a182210edd5c78 Mon Sep 17 00:00:00 2001 From: Georg Zotti <Georg.Zotti@univie.ac.at> Date: Sat, 4 Mar 2023 18:03:44 +0100 Subject: [PATCH] Fix a possible security issue - Require manually set flag to run scripts from absolute pathname - Mostly applies to scripts given on the command line --- guide/app_config_ini.tex | 2 ++ src/scripting/StelScriptMgr.cpp | 19 ++++++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/guide/app_config_ini.tex b/guide/app_config_ini.tex index dc2c1b389ba4..8afafe13545e 100644 --- a/guide/app_config_ini.tex +++ b/guide/app_config_ini.tex @@ -736,6 +736,8 @@ \subsection{\big[scripts\big]} \begin{tabularx}{\textwidth}{l|l|l|X}\toprule \emph{ID} & \emph{Type} & \emph{Default} & \emph{Description}\\\midrule startup\_script & string & startup.ssc & name of script executed on program start\\ +flag\_script\_allow\_absolute\_path & bool & false & set true to allow scripts from absolute pathnames. + This may pose a security risk if you run arbitrary scripts.\\ flag\_script\_allow\_write\_absolute\_path & bool & false & set true to let scripts store files to absolute pathnames. This may pose a security risk if you run scripts from other authors without checking what they are doing.\\\bottomrule diff --git a/src/scripting/StelScriptMgr.cpp b/src/scripting/StelScriptMgr.cpp index dfec114aefb0..fc1debc72946 100644 --- a/src/scripting/StelScriptMgr.cpp +++ b/src/scripting/StelScriptMgr.cpp @@ -794,8 +794,10 @@ bool StelScriptMgr::runPreprocessedScript(const QString &preprocessedScript, con bool StelScriptMgr::runScript(const QString& fileName, const QString& includePath) { QString preprocessedScript; - prepareScript(preprocessedScript,fileName,includePath); - return runPreprocessedScript(preprocessedScript,fileName); + if (prepareScript(preprocessedScript,fileName,includePath)) + return runPreprocessedScript(preprocessedScript,fileName); + else + return false; } bool StelScriptMgr::runScriptDirect(const QString scriptId, const QString &scriptCode, int &errLoc, const QString& includePath) @@ -820,9 +822,20 @@ bool StelScriptMgr::runScriptDirect(const QString& scriptCode, const QString &in bool StelScriptMgr::prepareScript( QString &script, const QString &fileName, const QString &includePath) { QString absPath; + const bool okToRunScriptFromAbsolutePath=StelApp::getInstance().getSettings()->value("scripts/flag_script_allow_absolute_path", false).toBool(); if (QFileInfo(fileName).isAbsolute()) - absPath = fileName; + { + // Absolute paths may bear a security risk. We need a flag to allow them! + if (okToRunScriptFromAbsolutePath) + absPath = fileName; + else + { + qWarning() << "SCRIPTING CONFIGURATION ISSUE: You are trying to run a script from absolute pathname."; + qWarning() << " To enable this, edit config.ini and set [scripts]/flag_script_allow_absolute_path=true"; + return false; + } + } else absPath = StelFileMgr::findFile("scripts/" + fileName);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor