From 0f936707a2457eb4611d7d42a68a3e066614f8e4 Mon Sep 17 00:00:00 2001 From: Don HO Date: Mon, 14 Jan 2019 20:20:19 +0100 Subject: [PATCH] [EU-FOSSA] Fix a security issue: RCE via unsanitized command line in "Open containing folder" Summary of the Issue: A remote code execution (RCE) vulnerability was found when a user opens a crafted containing folder in the command line. Code execution is possible by injecting a & followed by system commands into the name of the folder. Steps to reproduce: Download the attached archive on Windows: unzip_me.zip (F404758) Unzip it and navigate into it Open the txt file inside with Notepad++ Go to File -> Open containing folder -> cmd Impact statement: Successful exploitation of this vulnerability would allow an attacker to remotely execute arbitrary commands on the victim's computer. --- PowerEditor/src/NppCommands.cpp | 2 +- PowerEditor/src/WinControls/FileBrowser/fileBrowser.cpp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/PowerEditor/src/NppCommands.cpp b/PowerEditor/src/NppCommands.cpp index 81cbfb97..872c54c1 100644 --- a/PowerEditor/src/NppCommands.cpp +++ b/PowerEditor/src/NppCommands.cpp @@ -90,7 +90,7 @@ void Notepad_plus::command(int id) case IDM_FILE_OPEN_CMD: { - Command cmd(TEXT("cmd /K cd /d $(CURRENT_DIRECTORY)")); + Command cmd(TEXT("cmd /K cd /d \"$(CURRENT_DIRECTORY)\"")); cmd.run(_pPublicInterface->getHSelf()); } break; diff --git a/PowerEditor/src/WinControls/FileBrowser/fileBrowser.cpp b/PowerEditor/src/WinControls/FileBrowser/fileBrowser.cpp index 6f827d48..08924291 100644 --- a/PowerEditor/src/WinControls/FileBrowser/fileBrowser.cpp +++ b/PowerEditor/src/WinControls/FileBrowser/fileBrowser.cpp @@ -688,7 +688,7 @@ void FileBrowser::popupMenuCmd(int cmdID) if (::PathFileExists(path.c_str())) { TCHAR cmdStr[1024]; - wsprintf(cmdStr, TEXT("cmd /K cd /d %s"), path.c_str()); + wsprintf(cmdStr, TEXT("cmd /K cd /d \"%s\""), path.c_str()); Command cmd(cmdStr); cmd.run(nullptr); }