Release 3.6.2

Fix for CVE-2023-49284.
Encode all ENCODE_DIRECT codepoints with encode_direct
2026-05-11 19:31:15 -03:00 · 2023-12-04 23:00:02 +08:00 · 2023-12-04 23:00:01 +08:00 · 2023-12-04 23:00:01 +08:00 · 2023-08-03 18:17:05 +02:00
3 changed files with 31 additions and 4 deletions
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -1,4 +1,22 @@
-fish 3.6.1 (released March 25, 2022)
+fish 3.6.2 (released December 4, 2023)
+======================================
+
+This release of fish contains a security fix for CVE-2023-49284, a minor security problem identified
+in fish 3.6.1 and previous versions (thought to affect all released versions of fish).
+
+fish uses certain Unicode non-characters internally for marking wildcards and expansions. It
+incorrectly allowed these markers to be read on command substitution output, rather than
+transforming them into a safe internal representation.
+
+For example, ``echo \UFDD2HOME`` has the same output as ``echo $HOME``.
+
+While this may cause unexpected behavior with direct input, this may become a minor security problem
+if the output is being fed from an external program into a command substitution where this output
+may not be expected.
+
+--------------
+
+fish 3.6.1 (released March 25, 2023)
 ====================================

 This release of fish contains a number of fixes for problems identified in fish 3.6.1, as well as some enhancements.
--- a/src/common.cpp
+++ b/src/common.cpp
@@ -335,9 +335,7 @@ static wcstring str2wcs_internal(const char *in, const size_t in_len) {
        } else {
            ret = std::mbrtowc(&wc, &in[in_pos], in_len - in_pos, &state);
            // Determine whether to encode this character with our crazy scheme.
-            if (wc >= ENCODE_DIRECT_BASE && wc < ENCODE_DIRECT_BASE + 256) {
-                use_encode_direct = true;
-            } else if (wc == INTERNAL_SEPARATOR) {
+            if (fish_reserved_codepoint(wc)) {
                use_encode_direct = true;
            } else if (ret == static_cast<size_t>(-2)) {
                // Incomplete sequence.
@@ -1313,6 +1311,9 @@ maybe_t<size_t> read_unquoted_escape(const wchar_t *input, wcstring *result, boo
    }

    if (result_char_or_none.has_value()) {
+        if (fish_reserved_codepoint(*result_char_or_none)) {
+            return none();
+        }
        result->push_back(*result_char_or_none);
    }

--- a/tests/checks/basic.fish
+++ b/tests/checks/basic.fish
@@ -587,6 +587,14 @@ $fish -c 'echo \x'
 # CHECKERR: echo \x
 # CHECKERR:      ^^

+$fish -c 'echo \ufdd2"fart"'
+# CHECKERR: fish: Invalid token '\ufdd2"fart"'
+# CHECKERR: echo \ufdd2"fart"
+# CHECKERR: ^~~~~~~~~~~^
+
+echo (sh -c 'printf $\'\ufdd2foo\'') | string escape
+# CHECK: \Xef\Xb7\X92foo
+
 printf '%s\n' "#!/bin/sh" 'echo $0' > $tmpdir/argv0.sh
 chmod +x $tmpdir/argv0.sh
 cd $tmpdir
Author	SHA1	Message	Date
David Adam	a51437ec83	Release 3.6.2 Fix for CVE-2023-49284.	2023-12-04 23:00:02 +08:00
Fabian Boehm	09986f5563	Encode all ENCODE_DIRECT codepoints with encode_direct	2023-12-04 23:00:01 +08:00
David Adam	c0de5dd804	CHANGELOG: fix date for 3.6.1 (cherry picked from commit `e2579a59ba`)	2023-12-04 23:00:01 +08:00
Fabian Boehm	bc56a0436b	CHANGELOG: Add 3.6.2 section	2023-08-03 18:17:05 +02:00