Sublime Forum

Shell command injection vulnerability in third-party protocol handler 'Subl' for mac

#1

I’ve just published the disclosure of a vulnerability in a piece of code that’s sometimes recommend by the Ruby on Rails community (and possibly others) for use with Sublime Text. ‘Subl’ was a protocol handler for subl:// URLs and lived at https://github.com/dhoulb/subl.

I discovered a nasty vulnerability in this protocol handler that could result in command execution if someone was tricked into clicking on a maliciously crafted link.

The author has since removed it from Github, and you should delete it from your computer. There are alternatives.

I’ve written up an advisory here:
https://inopinatus.org/2017/08/02/shell-command-execution-vulnerability-in-subl-a-third-party-sublime-text-url-handler/

stay safe everyone!

2 Likes