commit eddedbfc14916aa06fc01ff04b38aeb30ae2e625 Author: John MacFarlane Date: Thu Jul 20 09:26:38 2023 -0700 Fix new variant of the vulnerability in CVE-2023-35936. Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete. An attacker could get around it by double-encoding the malicious extension to create or override arbitrary files. $ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md $ .cabal/bin/pandoc b.md --extract-media=bar

$ cat b.lua print "hello" $ find bar bar/ bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+ This commit adds a test case for this more complex attack and fixes the vulnerability. (The fix is quite simple: if the URL-unescaped filename or extension contains a '%', we just use the sha1 hash of the contents as the canonical name, just as we do if the filename contains '..'.) --- pandoc-2.14.0.3/src/Text/Pandoc/MediaBag.hs.orig 2024-03-22 16:40:07.874200094 +0800 +++ pandoc-2.14.0.3/src/Text/Pandoc/MediaBag.hs 2024-03-22 16:42:13.289905373 +0800 @@ -85,16 +85,17 @@ newpath = if isRelative fp'' && isNothing uri && not (".." `T.isInfixOf` fp') + && '%' `notElem` fp'' then fp'' - else showDigest (sha1 contents) <> "." <> ext + else showDigest (sha1 contents) <> ext fallback = case takeExtension fp'' of ".gz" -> getMimeTypeDef $ dropExtension fp'' _ -> getMimeTypeDef fp'' mt = fromMaybe fallback mbMime path = maybe fp'' (unEscapeString . uriPath) uri ext = case takeExtension path of - '.':e -> e - _ -> maybe "" T.unpack $ extensionFromMimeType mt + '.':e | '%' `notElem` e -> '.':e + _ -> maybe "" (\x -> '.':T.unpack x) $ extensionFromMimeType mt -- | Lookup a media item in a 'MediaBag', returning mime type and contents.