diff options
| author | dec05eba <dec05eba@protonmail.com> | 2018-05-17 20:29:45 +0200 |
|---|---|---|
| committer | dec05eba <dec05eba@protonmail.com> | 2018-05-17 20:29:47 +0200 |
| commit | 1dbb66b455b0362f06c9d49583020cf68700ed65 (patch) | |
| tree | e66206fcf3556e987819adb8ab58fea8706ea582 /src | |
| parent | a1766fb9389931481aad96a21a52a0a56d95f55c (diff) | |
Escape content url to prevent command injection
Diffstat (limited to 'src')
| -rw-r--r-- | src/Cache.cpp | 19 | ||||
| -rw-r--r-- | src/Text.cpp | 5 |
2 files changed, 17 insertions, 7 deletions
diff --git a/src/Cache.cpp b/src/Cache.cpp index a6270f0..074b7bc 100644 --- a/src/Cache.cpp +++ b/src/Cache.cpp @@ -299,7 +299,7 @@ namespace dchat checkContentAccessTimeThread.join(); } - void replaceFileIgnoreError(const boost::filesystem::path &path) + static void replaceFileIgnoreError(const boost::filesystem::path &path) { try { @@ -311,6 +311,18 @@ namespace dchat } } + static string stringReplaceChar(const string &str, const string &from, const string &to) + { + string result = str; + size_t pos = 0; + while((pos = result.find(from, pos)) != string::npos) + { + result.replace(pos, from.size(), to); + pos += to.size(); + } + return result; + } + const ContentByUrlResult Cache::getContentByUrl(const string &url, int downloadLimitBytes) { lock_guard<mutex> lock(imageDownloadMutex); @@ -357,10 +369,11 @@ namespace dchat string downloadLimitBytesStr = to_string(downloadLimitBytes); - // TODO: Escape url, it can contain escape sequence and execute shell code maliciously... + string escapedUrl = stringReplaceChar(url, "'", ""); + escapedUrl = stringReplaceChar(escapedUrl, "\\", ""); Process::string_type cmd = "curl -L --silent -o '"; cmd += filepath.native(); - cmd += "' --max-filesize " + downloadLimitBytesStr + " --range 0-" + downloadLimitBytesStr + " --url '" + url + "'"; + cmd += "' --max-filesize " + downloadLimitBytesStr + " --range 0-" + downloadLimitBytesStr + " --url '" + escapedUrl + "'"; // TODO: Use this instead of curl on windows: certutil.exe -urlcache -split -f "https://url/to/file" path/and/name/to/save/as/file Process *process = new Process(cmd, "", nullptr, nullptr, false); ImageDownloadInfo imageDownloadInfo { process, url }; diff --git a/src/Text.cpp b/src/Text.cpp index 7503d61..9688ad1 100644 --- a/src/Text.cpp +++ b/src/Text.cpp @@ -487,10 +487,7 @@ namespace dchat vertices[vertices.getVertexCount() - 2] = { sf::Vector2f(glyphPos.x, glyphPos.y - vspace), sf::Color::Transparent, sf::Vector2f() }; vertices[vertices.getVertexCount() - 1] = { sf::Vector2f(glyphPos.x, glyphPos.y - vspace), sf::Color::Transparent, sf::Vector2f() }; - if(textElement.type != TextElement::Type::TEXT) - { - prevCodePoint = 0; - } + prevCodePoint = 0; if(textElement.type == TextElement::Type::URL) { |