From 8d8b5b963fa64c7a2122d1bbfbb0bed46e813e59 Mon Sep 17 00:00:00 2001
From: Alexandre Erwin Ittner <alexandre@ittner.com.br>
Date: Sun, 5 Mar 2023 20:25:00 -0300
Subject: [PATCH] Fix RCE vulnerability on feed enrichment

Currently there are a few places in the code that do not check URLs for
the presence of a command prefix, allowing malicious websites to run any
command in the local system.

Trying to run feed enrichment (i.e. after option "Extract full content
from HTML5 and Google AMP" is enabled) in a subscription that produces
this item:

    <item>
      <title>Check /tmp/bad-item-link.txt</title>
      <link>|date &gt;/tmp/bad-item-link.txt</link>
    </item>

will cause Liferea to call update_request_new on URL
"|date >/tmp/bad-item-link.txt" and then blindly run the command. A
similar effect happens when running the feed enrichment in a item that
links to a document like this:

    <!DOCTYPE html>
    <html>
     <head>
      <title>AMP URL RCE PoC</title>
      <link rel="amphtml" href="|date &gt; /tmp/bad-amp-url.txt">
     </head>
     <body>
         Check the results in /tmp/bad-amp-url.txt
     </body>
    </html>

once Liferea tries to load the AMP URL.

There are other calls to update_request_* functions where URLs are
validated correctly (e.g. in feed icons and comments) and do not trigger
this vulnerability. Since the subscription update is the exception where
feed commands are supported (and welcome!) I chose to lock this feature
behind a non-persistent flag and only enable it when required. This is
safer than adding the flag in updateOptions, which is usually reused in
subordinate requests.

This failure exists since commits b8288389820a3f510ef4b21684b22439c41d95a5
and b67dbba73443ab7b36fcd3c78aa803e974c0f23e from Setember 2017.
---
 src/subscription.c |  1 +
 src/update.c       | 17 +++++++++++++++--
 src/update.h       | 16 ++++++++++++++++
 3 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/src/subscription.c b/src/subscription.c
index af0012561..7789b0319 100644
--- a/src/subscription.c
+++ b/src/subscription.c
@@ -282,6 +282,7 @@ subscription_update (subscriptionPtr subscription, guint flags)
 			subscription->updateState,
 			subscription->updateOptions
 		);
+		update_request_allow_commands (request, TRUE);
 
 		if (subscription_get_filter (subscription))
 			request->filtercmd = g_strdup (subscription_get_filter (subscription));
diff --git a/src/update.c b/src/update.c
index b9ab8dd2e..369a2bf10 100644
--- a/src/update.c
+++ b/src/update.c
@@ -234,6 +234,13 @@ update_request_set_auth_value (UpdateRequest *request, const gchar* authValue)
 	request->authValue = g_strdup (authValue);
 }
 
+void
+update_request_allow_commands (UpdateRequest *request, gboolean allowCommands)
+{
+	request->allowCommands = allowCommands;
+}
+
+
 /* update result object */
 
 updateResultPtr
@@ -672,8 +679,14 @@ update_job_run (updateJobPtr job)
 
 	/* everything starting with '|' is a local command */
 	if (*(job->request->source) == '|') {
-		debug1 (DEBUG_UPDATE, "Recognized local command: %s", job->request->source);
-		update_exec_cmd (job);
+		if (job->request->allowCommands) {
+			debug1 (DEBUG_UPDATE, "Recognized local command: %s", job->request->source);
+			update_exec_cmd (job);
+		} else {
+			debug1 (DEBUG_UPDATE, "Refusing to run local command from unexpected source: %s", job->request->source);
+			job->result->httpstatus = 403;  /* Forbidden. */
+			update_process_finished_job (job);
+		}
 		return;
 	}
 
diff --git a/src/update.h b/src/update.h
index d6244ad86..af29f8f97 100644
--- a/src/update.h
+++ b/src/update.h
@@ -103,6 +103,7 @@ struct _UpdateRequest {
 	updateOptionsPtr options;	/**< Update options for the request */
 	gchar		*filtercmd;	/**< Command will filter output of URL */
 	updateStatePtr	updateState;	/**< Update state of the requested object (etags, last modified...) */
+	gboolean	allowCommands;	/**< Allow this requests to run commands */
 };
 
 /** structure to store results of the processing of an update request */
@@ -228,6 +229,21 @@ void update_request_set_source (UpdateRequest *request, const gchar* source);
  */
 void update_request_set_auth_value (UpdateRequest *request, const gchar* authValue);
 
+/**
+ * Allows *this* request to run local commands.
+ *
+ * At first it may look this flag should be in updateOptions, but we can
+ * take a safer path: feed commands are restricted to a few use cases while
+ * options are propagated to downstream requests (feed enrichment, comments,
+ * etc.), so it is a good idea to prevent these from running commands in the
+ * local system via tricky URLs without needing to validate these options
+ * everywhere (which is error-prone).
+ *
+ * @param request      the update request
+ * @param can_run      TRUE if the request can run commands, FALSE otherwise.
+ */
+void update_request_allow_commands (UpdateRequest *request, gboolean allowCommands);
+
 /**
  * Creates a new update result for the given update request.
  *