tails-documentation - Limited Path Traversal
From the Security Audit:
/usr/local/lib/tails-shell-library/localization.sh
uses ${LANG}
without validating it itself. This can lead to a path traversal in localized_tails_doc_page
.
This is not exploitable so far, because the only user is /usr/local/sbin/unsafe-browser
, which can only be called via sudo, which prevents the user from setting LANG
to crafted values (using env_check
)
However, having some validation in place here (for example: check that ${lang_code}
doesn't include any /
), might be worth it
Edited by boyska