CVE-2026-32973 OpenClaw执行允许列表绕过漏洞

# PoC Concept for CVE-2026-32973 # This demonstrates the bypass logic using the '?' wildcard def vulnerable_check(pattern, path): # Simulating the flawed normalization (lowercasing) norm_pattern = pattern.lower() norm_path = path.lower() # Simulating the flawed glob match where '?' matches '/' # This is a simplified representation of the vulnerability import re regex = re.escape(norm_pattern).replace(r'\*', '.*').replace(r'\?', '.') # The vulnerability allows '.' to match '/' effectively if re.fullmatch(regex, norm_path): return True return False # Scenario: Allowlist is "/usr/bin/date" allowlist = "/usr/bin/date" # Attack payload: Using '?' to match '/' # If the system treats '?' as matching '/', this might bypass strict checks # depending on the exact pattern logic. # Example: trying to execute "/bin/sh" if the allowlist logic is too permissive # or if there is a related path. # This is a conceptual demonstration based on the description of # 'overmatches on POSIX paths' and 'wildcard matching across path segments'. print("Vulnerability confirmed if logic allows '?' to match path separators.")