romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-30 12:47:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

firefox-db2pem: avoid use of eval in script

Browse source 
This could potentially be exploited by manipulating nicknames in the
cert DB.

Reported-by: behindtheblackwall on hackerone
Closes #17766
This commit is contained in:
Dan Fandrich 2025-06-27 11:07:10 -07:00
parent d2a408587a
commit 0b98f596c8
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
scripts/firefox-db2pem.sh
View file

@ -57,5 +57,5 @@ sed -e 's/ *[CcGTPpu]*,[CcGTPpu]*,[CcGTPpu]* *$//' -e 's/\(.*\)/"\1"/' | \
sort | \
while read -r nickname; \
do echo "$nickname" | sed -e "s/Builtin Object Token://g"; \
eval certutil -d "$db" -L -n "$nickname" -a ; \
echo "$nickname" | xargs -I{} certutil -d "$db" -L -a -n {} ; \
done >> "$out"