From 1dbb66b455b0362f06c9d49583020cf68700ed65 Mon Sep 17 00:00:00 2001 From: dec05eba Date: Thu, 17 May 2018 20:29:45 +0200 Subject: Escape content url to prevent command injection --- src/Cache.cpp | 19 ++++++++++++++++--- src/Text.cpp | 5 +---- 2 files changed, 17 insertions(+), 7 deletions(-) (limited to 'src') diff --git a/src/Cache.cpp b/src/Cache.cpp index a6270f0..074b7bc 100644 --- a/src/Cache.cpp +++ b/src/Cache.cpp @@ -299,7 +299,7 @@ namespace dchat checkContentAccessTimeThread.join(); } - void replaceFileIgnoreError(const boost::filesystem::path &path) + static void replaceFileIgnoreError(const boost::filesystem::path &path) { try { @@ -311,6 +311,18 @@ namespace dchat } } + static string stringReplaceChar(const string &str, const string &from, const string &to) + { + string result = str; + size_t pos = 0; + while((pos = result.find(from, pos)) != string::npos) + { + result.replace(pos, from.size(), to); + pos += to.size(); + } + return result; + } + const ContentByUrlResult Cache::getContentByUrl(const string &url, int downloadLimitBytes) { lock_guard lock(imageDownloadMutex); @@ -357,10 +369,11 @@ namespace dchat string downloadLimitBytesStr = to_string(downloadLimitBytes); - // TODO: Escape url, it can contain escape sequence and execute shell code maliciously... + string escapedUrl = stringReplaceChar(url, "'", ""); + escapedUrl = stringReplaceChar(escapedUrl, "\\", ""); Process::string_type cmd = "curl -L --silent -o '"; cmd += filepath.native(); - cmd += "' --max-filesize " + downloadLimitBytesStr + " --range 0-" + downloadLimitBytesStr + " --url '" + url + "'"; + cmd += "' --max-filesize " + downloadLimitBytesStr + " --range 0-" + downloadLimitBytesStr + " --url '" + escapedUrl + "'"; // TODO: Use this instead of curl on windows: certutil.exe -urlcache -split -f "https://url/to/file" path/and/name/to/save/as/file Process *process = new Process(cmd, "", nullptr, nullptr, false); ImageDownloadInfo imageDownloadInfo { process, url }; diff --git a/src/Text.cpp b/src/Text.cpp index 7503d61..9688ad1 100644 --- a/src/Text.cpp +++ b/src/Text.cpp @@ -487,10 +487,7 @@ namespace dchat vertices[vertices.getVertexCount() - 2] = { sf::Vector2f(glyphPos.x, glyphPos.y - vspace), sf::Color::Transparent, sf::Vector2f() }; vertices[vertices.getVertexCount() - 1] = { sf::Vector2f(glyphPos.x, glyphPos.y - vspace), sf::Color::Transparent, sf::Vector2f() }; - if(textElement.type != TextElement::Type::TEXT) - { - prevCodePoint = 0; - } + prevCodePoint = 0; if(textElement.type == TextElement::Type::URL) { -- cgit v1.2.3