awesome-appmenu icon indicating copy to clipboard operation
awesome-appmenu copied to clipboard

Published 20 hours ago verified publisher icon montagdude

Single quotes and other chars are not escaped; LUA injection vuln

Open J0w03L opened this issue 11 months ago • 4 comments

Just like the title says, when awesome-appmenu generates the appmenu.lua file and encounters an app with a ' character in its name, awesome-appmenu will not escape that character.

One such example of a popular application that causes this is the game Garry's Mod.

This bug can be exploited to inject arbitrary LUA code that will always run at awesome's startup.

A malicious .desktop file could have the name foo', os.exit() }, -- and this would immediately kick the user out of their X session.

J0w03L avatar Mar 02 '24 13:03 J0w03L

or Don't starve together

zen0bit avatar Apr 23 '24 04:04 zen0bit

Merged commit doesn't quite fix the vulnerability; the escape can itself be escaped. For example: foo\', os.exit() }, --

J0w03L avatar Apr 24 '24 18:04 J0w03L

Yes I am not solved that

Up to someone else...

I just made menu with ' actually working

zen0bit avatar Apr 24 '24 23:04 zen0bit

If anyone has a candidate fix, feel free to submit a pull request. I haven't used awesome for a number of years and am kind of surprised that this appmenu seems to be getting some interest now.

montagdude avatar Apr 25 '24 03:04 montagdude