aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authordec05eba <dec05eba@protonmail.com>2018-05-17 20:29:45 +0200
committerdec05eba <dec05eba@protonmail.com>2018-05-17 20:29:47 +0200
commit1dbb66b455b0362f06c9d49583020cf68700ed65 (patch)
treee66206fcf3556e987819adb8ab58fea8706ea582 /src
parenta1766fb9389931481aad96a21a52a0a56d95f55c (diff)
Escape content url to prevent command injection
Diffstat (limited to 'src')
-rw-r--r--src/Cache.cpp19
-rw-r--r--src/Text.cpp5
2 files changed, 17 insertions, 7 deletions
diff --git a/src/Cache.cpp b/src/Cache.cpp
index a6270f0..074b7bc 100644
--- a/src/Cache.cpp
+++ b/src/Cache.cpp
@@ -299,7 +299,7 @@ namespace dchat
checkContentAccessTimeThread.join();
}
- void replaceFileIgnoreError(const boost::filesystem::path &path)
+ static void replaceFileIgnoreError(const boost::filesystem::path &path)
{
try
{
@@ -311,6 +311,18 @@ namespace dchat
}
}
+ static string stringReplaceChar(const string &str, const string &from, const string &to)
+ {
+ string result = str;
+ size_t pos = 0;
+ while((pos = result.find(from, pos)) != string::npos)
+ {
+ result.replace(pos, from.size(), to);
+ pos += to.size();
+ }
+ return result;
+ }
+
const ContentByUrlResult Cache::getContentByUrl(const string &url, int downloadLimitBytes)
{
lock_guard<mutex> lock(imageDownloadMutex);
@@ -357,10 +369,11 @@ namespace dchat
string downloadLimitBytesStr = to_string(downloadLimitBytes);
- // TODO: Escape url, it can contain escape sequence and execute shell code maliciously...
+ string escapedUrl = stringReplaceChar(url, "'", "");
+ escapedUrl = stringReplaceChar(escapedUrl, "\\", "");
Process::string_type cmd = "curl -L --silent -o '";
cmd += filepath.native();
- cmd += "' --max-filesize " + downloadLimitBytesStr + " --range 0-" + downloadLimitBytesStr + " --url '" + url + "'";
+ cmd += "' --max-filesize " + downloadLimitBytesStr + " --range 0-" + downloadLimitBytesStr + " --url '" + escapedUrl + "'";
// TODO: Use this instead of curl on windows: certutil.exe -urlcache -split -f "https://url/to/file" path/and/name/to/save/as/file
Process *process = new Process(cmd, "", nullptr, nullptr, false);
ImageDownloadInfo imageDownloadInfo { process, url };
diff --git a/src/Text.cpp b/src/Text.cpp
index 7503d61..9688ad1 100644
--- a/src/Text.cpp
+++ b/src/Text.cpp
@@ -487,10 +487,7 @@ namespace dchat
vertices[vertices.getVertexCount() - 2] = { sf::Vector2f(glyphPos.x, glyphPos.y - vspace), sf::Color::Transparent, sf::Vector2f() };
vertices[vertices.getVertexCount() - 1] = { sf::Vector2f(glyphPos.x, glyphPos.y - vspace), sf::Color::Transparent, sf::Vector2f() };
- if(textElement.type != TextElement::Type::TEXT)
- {
- prevCodePoint = 0;
- }
+ prevCodePoint = 0;
if(textElement.type == TextElement::Type::URL)
{