gnash-commit
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] gnash ChangeLog server/vm/ASHandlers.cpp

From: Sandro Santilli
Subject: [Gnash-commit] gnash ChangeLog server/vm/ASHandlers.cpp
Date: Mon, 28 Jan 2008 11:04:47 +0000 
CVSROOT:        /sources/gnash
Module name:    gnash
Changes by:     Sandro Santilli <strk>  08/01/28 11:04:47

Modified files:
        .              : ChangeLog 
        server/vm      : ASHandlers.cpp 

Log message:
        (CommonGetUrl): escape url before passing the the user-defined url 
opener.
        This hopefully fixes a critical bug allowing arbitrary command 
execution.

CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/gnash/ChangeLog?cvsroot=gnash&r1=1.5504&r2=1.5505
http://cvs.savannah.gnu.org/viewcvs/gnash/server/vm/ASHandlers.cpp?cvsroot=gnash&r1=1.181&r2=1.182

Patches:
Index: ChangeLog
===================================================================
RCS file: /sources/gnash/gnash/ChangeLog,v
retrieving revision 1.5504
retrieving revision 1.5505
diff -u -b -r1.5504 -r1.5505
--- ChangeLog   27 Jan 2008 07:18:15 -0000      1.5504
+++ ChangeLog   28 Jan 2008 11:04:46 -0000      1.5505
@@ -1,3 +1,9 @@
+2008-01-28 Sandro Santilli <address@hidden>
+
+       * server/vm/ASHandlers.cpp (CommonGetUrl): escape url before passing
+         the the user-defined url opener. This hopefully fixes a critical
+         bug allowing arbitrary command execution.
+
 2008-01-26 Bastiaan Jacques <address@hidden>
 
        * configure.ac: Add some required gstreamer modules to detect.

Index: server/vm/ASHandlers.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/vm/ASHandlers.cpp,v
retrieving revision 1.181
retrieving revision 1.182
diff -u -b -r1.181 -r1.182
--- server/vm/ASHandlers.cpp    21 Jan 2008 20:56:03 -0000      1.181
+++ server/vm/ASHandlers.cpp    28 Jan 2008 11:04:47 -0000      1.182
@@ -17,7 +17,7 @@
 // Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 //
 
-/* $Id: ASHandlers.cpp,v 1.181 2008/01/21 20:56:03 rsavoye Exp $ */
+/* $Id: ASHandlers.cpp,v 1.182 2008/01/28 11:04:47 strk Exp $ */
 
 #ifdef HAVE_CONFIG_H
 #include "gnashconfig.h"
@@ -2266,7 +2266,30 @@
 
        gnash::RcInitFile& rcfile = gnash::RcInitFile::getDefaultInstance();
        string command  = rcfile.getURLOpenerFormat();
-       boost::replace_all(command, "%u", url.str());
+
+       /// Try to avoid letting flash movies execute
+       /// arbitrary commands (sic)
+       ///
+       /// Maybe we should exec here, but if we do we might have problems
+       /// with complex urlOpenerFormats like:
+       ///     firefox -remote 'openurl(%u)'
+       ///
+       ///
+       /// NOTE: this escaping implementation is far from optimal, but
+       ///       I felt pretty in rush to fix the arbitrary command
+       ///       execution... we'll optimize if needed
+       ///
+       string safeurl = url.str(); 
+       boost::replace_all(safeurl, "\\", "\\\\");      // escape backslashes 
first
+       boost::replace_all(safeurl, "'", "\\'");        // then single quotes
+       boost::replace_all(safeurl, "\"", "\\\"");      // double quotes
+       boost::replace_all(safeurl, ";", "\\;");        // colons
+       boost::replace_all(safeurl, " ", "\\ ");        // spaces
+       boost::replace_all(safeurl, ">", "\\>");        // output redirection
+       boost::replace_all(safeurl, "<", "\\<");        // input redirection
+       boost::replace_all(safeurl, "&", "\\&");        // background (sic)
+
+       boost::replace_all(command, "%u", safeurl);
 
        log_msg (_("Launching URL... %s"), command.c_str());
        system(command.c_str());
reply via email to
[Prev in Thread] Current Thread [Next in Thread]