[tin-bugs] Possible shell injection via group name
Adam W.
tin at chmurka.net
Tue Apr 14 15:18:40 CEST 2026
Hi,
Let's assume the scenario:
1. User configures a signature command containing %G
2. Group name is substitued to the shell command
3. Group name is wrapped in double quotes (sigfile.c,
msg_write_signature()), but it assumes that the group name is sane.
Double quotes or other shell characters, like `, $ or \, are not
escaped
4. Malicious server sends a group called: group"; rm -rf ~;"
5. A malicious command gets injected into popen()
Do you think it's a real vulnerability?
string.c contains sh_format(), maybe it would be a good idea to use it?
More information about the tin-bugs
mailing list