[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-commit] gnash ChangeLog server/vm/ASHandlers.cpp
From: |
Sandro Santilli |
Subject: |
[Gnash-commit] gnash ChangeLog server/vm/ASHandlers.cpp |
Date: |
Mon, 28 Jan 2008 11:04:47 +0000 |
CVSROOT: /sources/gnash
Module name: gnash
Changes by: Sandro Santilli <strk> 08/01/28 11:04:47
Modified files:
. : ChangeLog
server/vm : ASHandlers.cpp
Log message:
(CommonGetUrl): escape url before passing the the user-defined url
opener.
This hopefully fixes a critical bug allowing arbitrary command
execution.
CVSWeb URLs:
http://cvs.savannah.gnu.org/viewcvs/gnash/ChangeLog?cvsroot=gnash&r1=1.5504&r2=1.5505
http://cvs.savannah.gnu.org/viewcvs/gnash/server/vm/ASHandlers.cpp?cvsroot=gnash&r1=1.181&r2=1.182
Patches:
Index: ChangeLog
===================================================================
RCS file: /sources/gnash/gnash/ChangeLog,v
retrieving revision 1.5504
retrieving revision 1.5505
diff -u -b -r1.5504 -r1.5505
--- ChangeLog 27 Jan 2008 07:18:15 -0000 1.5504
+++ ChangeLog 28 Jan 2008 11:04:46 -0000 1.5505
@@ -1,3 +1,9 @@
+2008-01-28 Sandro Santilli <address@hidden>
+
+ * server/vm/ASHandlers.cpp (CommonGetUrl): escape url before passing
+ the the user-defined url opener. This hopefully fixes a critical
+ bug allowing arbitrary command execution.
+
2008-01-26 Bastiaan Jacques <address@hidden>
* configure.ac: Add some required gstreamer modules to detect.
Index: server/vm/ASHandlers.cpp
===================================================================
RCS file: /sources/gnash/gnash/server/vm/ASHandlers.cpp,v
retrieving revision 1.181
retrieving revision 1.182
diff -u -b -r1.181 -r1.182
--- server/vm/ASHandlers.cpp 21 Jan 2008 20:56:03 -0000 1.181
+++ server/vm/ASHandlers.cpp 28 Jan 2008 11:04:47 -0000 1.182
@@ -17,7 +17,7 @@
// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
//
-/* $Id: ASHandlers.cpp,v 1.181 2008/01/21 20:56:03 rsavoye Exp $ */
+/* $Id: ASHandlers.cpp,v 1.182 2008/01/28 11:04:47 strk Exp $ */
#ifdef HAVE_CONFIG_H
#include "gnashconfig.h"
@@ -2266,7 +2266,30 @@
gnash::RcInitFile& rcfile = gnash::RcInitFile::getDefaultInstance();
string command = rcfile.getURLOpenerFormat();
- boost::replace_all(command, "%u", url.str());
+
+ /// Try to avoid letting flash movies execute
+ /// arbitrary commands (sic)
+ ///
+ /// Maybe we should exec here, but if we do we might have problems
+ /// with complex urlOpenerFormats like:
+ /// firefox -remote 'openurl(%u)'
+ ///
+ ///
+ /// NOTE: this escaping implementation is far from optimal, but
+ /// I felt pretty in rush to fix the arbitrary command
+ /// execution... we'll optimize if needed
+ ///
+ string safeurl = url.str();
+ boost::replace_all(safeurl, "\\", "\\\\"); // escape backslashes
first
+ boost::replace_all(safeurl, "'", "\\'"); // then single quotes
+ boost::replace_all(safeurl, "\"", "\\\""); // double quotes
+ boost::replace_all(safeurl, ";", "\\;"); // colons
+ boost::replace_all(safeurl, " ", "\\ "); // spaces
+ boost::replace_all(safeurl, ">", "\\>"); // output redirection
+ boost::replace_all(safeurl, "<", "\\<"); // input redirection
+ boost::replace_all(safeurl, "&", "\\&"); // background (sic)
+
+ boost::replace_all(command, "%u", safeurl);
log_msg (_("Launching URL... %s"), command.c_str());
system(command.c_str());