#########################
# Not Valid	        #
#########################

Remote command injection in Ruby Gem attachment_on_the_fly 0.1.2

4/15/2013


******************************************************************************
* It appears paperclip filters filenames and characters that are acceptable
* making this non-exploitable.
******************************************************************************


code sippet from paperclip-3.4.1/lib/paperclip/attachment.rb:

      5 module Paperclip
      6   # The Attachment class manages the files for a given attachment. It saves
      7   # when the model saves, deletes when the model is destroyed, and processes
      8   # the file upon assignment.
      9   class Attachment
     10     def self.default_options
     11       @default_options ||= {
     12         :convert_options       => {},
     13         :default_style         => :original,
     14         :default_url           => "/:attachment/:style/missing.png",
     15         :escape_url            => true,
     16         :restricted_characters => /[&$+,\/:;=?@<>\[\]\{\}\|\\\^~%# ]/,


Line 16 does a good job of taking any fun characters out of the filename that we'd use for command injection.


https://rubygems.org/gems/attachment_on_the_fly

Remote command Injection if the filename or geometry values supplied by the user
contain any shell meta characters.


In the following code snippet, user supplied data is passed directly to the command line. 

./attachment_on_the_fly-0.1.2/lib/attachment_on_the_fly.rb


 94     if kind == "height"
 95       # resize_image infilename, outfilename , 0, height
 96       command = "#{convert_command_path}convert -colorspace RGB -geometry x#{height} -quality 100 -sharpen 1 #{original} #{newfilename} 2    >&1 > /dev/null"
 97     elsif kind == "width"
 98       # resize_image infilename, outfilename, width
 99       command = "#{convert_command_path}convert -colorspace RGB -geometry #{width} -quality 100 -sharpen 1 #{original} #{newfilename} 2>&    1 > /dev/null"
100     elsif kind == "both"
101       # resize_image infilename, outfilename, height, width
102       command = "#{convert_command_path}convert -colorspace RGB -geometry #{width}x#{height} -quality 100 -sharpen 1 #{original} #{newfil    ename} 2>&1 > /dev/null"
103     end
104 
105     `#{command}`

If a file contains a shell meta character like ';' for example code can be injected into the command line.


Larry W. Cashdollar
@_larry0
http://vapid.dhs.org