From 1dbb66b455b0362f06c9d49583020cf68700ed65 Mon Sep 17 00:00:00 2001
From: dec05eba <dec05eba@protonmail.com>
Date: Thu, 17 May 2018 20:29:45 +0200
Subject: Escape content url to prevent command injection

---
 src/Cache.cpp | 19 ++++++++++++++++---
 src/Text.cpp  |  5 +----
 2 files changed, 17 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/src/Cache.cpp b/src/Cache.cpp
index a6270f0..074b7bc 100644
--- a/src/Cache.cpp
+++ b/src/Cache.cpp
@@ -299,7 +299,7 @@ namespace dchat
         checkContentAccessTimeThread.join();
     }
     
-    void replaceFileIgnoreError(const boost::filesystem::path &path)
+    static void replaceFileIgnoreError(const boost::filesystem::path &path)
     {
         try
         {
@@ -311,6 +311,18 @@ namespace dchat
         }
     }
     
+    static string stringReplaceChar(const string &str, const string &from, const string &to)
+    {
+        string result = str;
+        size_t pos = 0;
+        while((pos = result.find(from, pos)) != string::npos)
+        {
+            result.replace(pos, from.size(), to);
+            pos += to.size();
+        }
+        return result;
+    }
+    
     const ContentByUrlResult Cache::getContentByUrl(const string &url, int downloadLimitBytes)
     {
         lock_guard<mutex> lock(imageDownloadMutex);
@@ -357,10 +369,11 @@ namespace dchat
         
         string downloadLimitBytesStr = to_string(downloadLimitBytes);
         
-        // TODO: Escape url, it can contain escape sequence and execute shell code maliciously...
+        string escapedUrl = stringReplaceChar(url, "'", "");
+        escapedUrl = stringReplaceChar(escapedUrl, "\\", "");
         Process::string_type cmd = "curl -L --silent -o '";
         cmd += filepath.native();
-        cmd += "' --max-filesize " + downloadLimitBytesStr + " --range 0-" + downloadLimitBytesStr + " --url '" + url + "'";
+        cmd += "' --max-filesize " + downloadLimitBytesStr + " --range 0-" + downloadLimitBytesStr + " --url '" + escapedUrl + "'";
         // TODO: Use this instead of curl on windows: certutil.exe -urlcache -split -f "https://url/to/file" path/and/name/to/save/as/file
         Process *process = new Process(cmd, "", nullptr, nullptr, false);
         ImageDownloadInfo imageDownloadInfo { process, url };
diff --git a/src/Text.cpp b/src/Text.cpp
index 7503d61..9688ad1 100644
--- a/src/Text.cpp
+++ b/src/Text.cpp
@@ -487,10 +487,7 @@ namespace dchat
             vertices[vertices.getVertexCount() - 2] = { sf::Vector2f(glyphPos.x, glyphPos.y - vspace), sf::Color::Transparent, sf::Vector2f() };
             vertices[vertices.getVertexCount() - 1] = { sf::Vector2f(glyphPos.x, glyphPos.y - vspace), sf::Color::Transparent, sf::Vector2f() };
             
-            if(textElement.type != TextElement::Type::TEXT)
-            {
-                prevCodePoint = 0;
-            }
+            prevCodePoint = 0;
             
             if(textElement.type == TextElement::Type::URL)
             {
-- 
cgit v1.2.3