`` in author names are not escaped, allowing execution of arbitrary commands about gitstats HOT 5 CLOSED

At least this case would be simply fixed by using single instead of double quotes around the author names when writing that file. That would prevent all kinds of similar problems as well.

from gitstats.

So just to clarify the above, simply was a foolish choice of word. Yes, using single quotes instead of double solves the problem, but that will fail if the author's name contains one. 'Tim O'Really' for example. It's not possible to escape that as ' either. In bash, you can do $'Tim O'\Really' (which is what I tried), but apparently you can't in the gnuplot file. I'll investigate what else might be possible when I have time.

from gitstats.

(the other simple/obvious option would be to just remove any backtick characters from the author name, but just doing that may well leave other avenues of attack open - I was looking for a solution that ensures the name is taken as a literal string no matter what)

from gitstats.

Indeed. I was kind of hoping some gnuplot expert would pop in and tip us on how to do this properly, but alas, we will have to do with the unoptimal blacklisting.

commit 5ba386aede189ce22f900fd9548d3135e46bd7ff
Author: Heikki Hokkanen <[email protected]>
Date:   Sat Dec 21 15:04:04 2013 +0200

    Remove backticks from author names passed to gnuplot.

    Without this, author names containing `touch /tmp/vulnerable` would cause said
    file to appear after generating statistics for the given repository.

    This is not an optimal solution. Instead of blacklisting characters we should
    either whitelist some, or find a safe escape mechanism for gnuplot.

Thanks for reporting the bug.

from gitstats.

I think that solution is probably fine. I did have a good read of the documentation later, and I don't see any way of causing problems with any other characters other than the backtick.

from gitstats.