Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st

gnash-dev

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st

From:	strk
Subject:	Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Date:	Wed, 29 Dec 2010 11:07:26 +0100

Pushed e3b0cff5506ff6ed7ecfc19654c1e61a7ad3d621
Thanks.

--strk;

On Mon, Dec 27, 2010 at 01:30:00AM +0100, address@hidden wrote:
> >From 746ccb455b6948e90741d8088c0afceadd56a6eb Mon Sep 17 00:00:00 2001
> From: antrik <address@hidden>
> Date: Thu, 25 Nov 2010 11:49:04 +0100
> Subject: [PATCH] npapi/writelauncher: Prevent script parameter strings from 
> escaping shell quoting
> 
> Make sure a ' character in the parameter string doesn't escape the shell
> quoting. This is accomplished by replacing it with a '\'' sequence, i.e.
> ending the single quoting, including an explicitely quoted single quote
> character, and starting the quoting again.
> 
> As the substitution using boost's string algorithm library is trivial,
> just do it inline it the script writing statements.
> ---
>  plugin/npapi/plugin.cpp |    7 ++++++-
>  1 files changed, 6 insertions(+), 1 deletions(-)
> 
> diff --git a/plugin/npapi/plugin.cpp b/plugin/npapi/plugin.cpp
> index 42c2859..3dcced5 100644
> --- a/plugin/npapi/plugin.cpp
> +++ b/plugin/npapi/plugin.cpp
> @@ -35,6 +35,7 @@
>  #endif
>  
>  #include <boost/format.hpp>
> +#include <boost/algorithm/string/replace.hpp>
>  
>  #define MIME_TYPES_HANDLED  "application/x-shockwave-flash"
>  // The name must be this value to get flash movies that check the
> @@ -968,7 +969,11 @@ create_standalone_launcher(const std::string& page_url, 
> const std::string& swf_u
>          itEnd = params.end(); it != itEnd; ++it) {
>          const std::string& nam = it->first; 
>          const std::string& val = it->second;
> -        saLauncher << "-P '" << nam << "=" << val << "' ";
> +        saLauncher << "-P '"
> +                   << boost::algorithm::replace_all_copy(nam, "'", "'\\''")
> +                   << "="
> +                   << boost::algorithm::replace_all_copy(val, "'", "'\\''")
> +                   << "' ";
>      }
>  
>      saLauncher << "'" << swf_url << "' "
> -- 
> 1.7.2.3
> 
> 
> _______________________________________________
> Gnash-dev mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/gnash-dev

-- 

  ()   Free GIS & Flash consultant/developer
  /\   http://strk.keybit.net/services.html

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting, olafBuddenhagen, 2010/12/28
- Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting, strk <=
  - Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting, John Gilmore, 2010/12/30

Prev by Date: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Next by Date: Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Previous by thread: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Next by thread: Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting
Index(es):
- Date
- Thread