115051 【KVE-2022-0404】【备份还原】备份还原工具-数据备份功能存在任意命令执行漏洞，导致本地提权

kybackup/component/backuplistwidget.cpp

@@ -208,6 +208,19 @@ void BackupListWidget::dropEvent(QDropEvent *event)
 
 bool BackupListWidget::checkPathLimit(const QString &path)
 {
+    // 防命令注入
+    // 1、形如：mkdir '`id&>id_bak_test.txt`'中的文件夹名称
+    // 2、形如：$()的文件夹名称
+    // 3、形如：${}的文件夹名称
+    // 4、包含[;、&、|]等可以包含并执行系统命令或用于连续执行系统命令的符号
+    if (    path.contains(QRegularExpression(".*`.*`.*"))
+         || path.contains(QRegularExpression(".*\\$\\(.*\\).*"))
+         || path.contains(QRegularExpression(".*\\$\\{.*\\}.*"))
+         || path.contains(QRegularExpression("[;&|]+"))) {
+        MessageBoxUtils::QMESSAGE_BOX_WARNING(this, QObject::tr("Warning"), QObject::tr("Path can not include symbols that such as : ``,$(),${},;,&,|,etc."), QObject::tr("OK"));
+        return false;
+    }
+
     // 1、列表中是否已经存在
     if (contains(path)) {
         MessageBoxUtils::QMESSAGE_BOX_WARNING(this, QObject::tr("Warning"),

kybackup/qt_zh_CN.ts

@@ -1224,9 +1224,10 @@
         <translation type="unfinished"></translation>
     </message>
     <message>
-        <location filename="component/backuplistwidget.cpp" line="213"/>
+        <location filename="component/backuplistwidget.cpp" line="220"/>
-        <location filename="component/backuplistwidget.cpp" line="222"/>
+        <location filename="component/backuplistwidget.cpp" line="226"/>
-        <location filename="component/backuplistwidget.cpp" line="245"/>
+        <location filename="component/backuplistwidget.cpp" line="235"/>
+        <location filename="component/backuplistwidget.cpp" line="258"/>
         <location filename="maindialog.cpp" line="286"/>
         <location filename="maindialog.cpp" line="302"/>
         <location filename="maindialog.cpp" line="322"/>
@@ -1242,14 +1243,24 @@
         <translation>警告</translation>
     </message>
     <message>
-        <location filename="component/backuplistwidget.cpp" line="214"/>
+        <location filename="component/backuplistwidget.cpp" line="220"/>
+        <source>Path can not include symbols that such as : ``,$(),${},;,&amp;,|,etc.</source>
+        <translation>路径中不能包含：``、$()、${}、;、&amp;、|等特殊符号</translation>
+    </message>
+    <message>
+        <location filename="component/backuplistwidget.cpp" line="220"/>
+        <source>OK</source>
+        <translation type="unfinished"></translation>
+    </message>
+    <message>
+        <location filename="component/backuplistwidget.cpp" line="227"/>
         <source>Path already exists : </source>
         <translation>路径已经存在：</translation>
     </message>
     <message>
-        <location filename="component/backuplistwidget.cpp" line="215"/>
+        <location filename="component/backuplistwidget.cpp" line="228"/>
-        <location filename="component/backuplistwidget.cpp" line="224"/>
+        <location filename="component/backuplistwidget.cpp" line="237"/>
-        <location filename="component/backuplistwidget.cpp" line="247"/>
+        <location filename="component/backuplistwidget.cpp" line="260"/>
         <location filename="main.cpp" line="45"/>
         <location filename="maindialog.cpp" line="288"/>
         <location filename="maindialog.cpp" line="304"/>
@@ -1271,12 +1282,12 @@
         <translation>确定</translation>
     </message>
     <message>
-        <location filename="component/backuplistwidget.cpp" line="223"/>
+        <location filename="component/backuplistwidget.cpp" line="236"/>
         <source>The file or directory does not exist : </source>
         <translation>文件或目录不存在</translation>
     </message>
     <message>
-        <location filename="component/backuplistwidget.cpp" line="246"/>
+        <location filename="component/backuplistwidget.cpp" line="259"/>
         <source>Only data that exists in the follow directorys can be selected: %1.
  Path:%2 is not in them.</source>
         <translation>只有后面目录中的数据可以选择：%1。