oe_setup_addon will potentially eval user input

  • Original bug report on github for Librespot plugin: username and password are eval'd by shell · Issue #387 · librespot-org/librespot · GitHub


    It is possible for user input, stored in a plugin's settings.xml, to be eval'd by the shell as the root user by the function oe_setup_addon defined in file /etc/profile.d/00-addons.conf.


    The function parses the XML config of an addon, and will attempt to place settings stored in XML in environment variables, using the eval function of the shell. Unfortunately, the contents of the XML file are read in without sanitisation. Since many addons allow the user to fill in their own text in the addon's settings, this gives the opportunity for a user to enter text which can be eval'd by the shell and do something unexpected or unwanted. The use of a double-quote mark " is what allows the escape to happen.


    Code
    1. # cat /etc/issue
    2. ##############################################
    3. # LibreELEC #
    4. # https://libreelec.tv #
    5. ##############################################
    6. LibreELEC (official): 9.1.501 (RPi2.arm)

    Hardware: Raspberry Pi 3