CVE-2023-1350: 
NixOS vulnerability analysis and mitigation

A critical vulnerability was discovered in Liferea's feed enrichment functionality, identified as CVE-2023-1350. The vulnerability was found in the updatejobrun function and affects the feed enrichment feature when processing URLs. The issue was discovered and patched in March 2023, affecting versions since September 2017 (GitHub Commit).

The vulnerability stems from insufficient URL validation in certain code sections that process command prefixes. When the feed enrichment option 'Extract full content from HTML5 and Google AMP' is enabled, the application fails to properly validate URLs before processing them. The issue specifically occurs in the updaterequestnew function, where URLs with command prefixes are not properly checked, allowing for command execution. The vulnerability has existed since commits b828838 and b67dbba from September 2017 (GitHub Commit).

The vulnerability allows malicious websites to execute arbitrary commands on the local system through specially crafted URLs. When exploited, an attacker could run any command with the permissions of the Liferea process, potentially leading to system compromise (GitHub Commit).

The issue has been patched by implementing a non-persistent flag that controls command execution permissions. This security feature is now only enabled when explicitly required, rather than being enabled by default in updateOptions. The fix ensures that feed commands are restricted to specific use cases while preventing downstream requests from executing commands via malicious URLs (GitHub Commit).