# Remediation Guide: CVE-2026-35585 This document outlines the steps required to mitigate and permanently fix the OS Command Injection vulnerability in File Browser. ## 1. Immediate Action (For Users/Admins) If you are running an affected version of File Browser (**v2.0.0 to v2.33.1**), please take one of the following actions immediately: ### A. Update to the Latest Version The most effective solution is to update your File Browser instance to **v2.33.8 or later**. In the patched versions, the maintainers have: - Disabled custom command hooks by default. - Improved the way environment variables are handled during hook execution. ### B. Temporary Workaround (If update is not possible) 1. **Disable Hooks:** Clear all commands in the **Global Settings > Commands** (Hooks) section. 2. **Restrict Privileges:** Ensure that only trusted users have "Upload", "Rename", or "Create" permissions. 3. **Shell Configuration:** Remove any shell configuration (e.g., `sh -c`) from the Global Settings to prevent shell-level command chaining. --- ## 2. Technical Solution (For Developers) The root cause of this vulnerability is the use of `os.Expand` to perform string substitution inside a command string that is eventually executed by a shell. ### The Vulnerable Pattern Using plain string replacement allows shell metacharacters (`;`, `&`, `|`, etc.) to be interpreted as command separators. ```go // VULNERABLE command[i] = os.Expand(arg, envMapping) // Result: sh -c "echo Uploaded ; id #" ``` ### The Recommended Fixes #### Fix 1: Avoid Shell Execution (Preferred) Instead of executing commands through a shell (e.g., `sh -c "cmd $VAR"`), execute the binary directly and pass arguments as a discrete slice. This prevents the shell from ever interpreting the content of the variables. ```go // SECURE: Direct execution // Instead of: []string{"sh", "-c", "echo Uploaded $FILE"} // Use: []string{"echo", "Uploaded", path} cmd := exec.Command(command[0], command[1:]...) ``` #### Fix 2: Proper Shell Quoting/Escaping If shell execution is strictly required, every variable expanded via `os.Expand` must be escaped for the specific shell being used. ```go import "github.com/kballard/go-shellquote" // SECURE: Escaping before substitution envMapping := func(key string) string { if key == "FILE" { return shellquote.Join(path) // Wraps in quotes and escapes internal quotes } // ... } ``` #### Fix 3: Input Validation (Defense-in-Depth) Implement a strict allow-list or deny-list for filenames. Reject any file upload or rename request where the filename contains: - `;`, `&`, `|`, `$`, `` ` ``, `(`, `)`, `>`, `<`, `\n`, `\r` --- ## 3. Verification after Fix After applying the fix or updating, verify the mitigation by running the PoC script: ```bash python3 exploit.py -t http://localhost:8080 -c "touch /tmp/verify_fix" ``` **Expected Result:** The server should either: - Reject the upload due to an invalid filename. - Upload the file safely without executing the `touch` command. --- ## References - [CWE-78: Improper Neutralization of Special Elements used in an OS Command](https://cwe.mitre.org/data/definitions/78.html) - [CWE-88: Improper Neutralization of Argument Delimiters in a Command](https://cwe.mitre.org/data/definitions/88.html)