[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter st
From: |
strk |
Subject: |
Re: [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting |
Date: |
Wed, 29 Dec 2010 11:07:26 +0100 |
Pushed e3b0cff5506ff6ed7ecfc19654c1e61a7ad3d621
Thanks.
--strk;
On Mon, Dec 27, 2010 at 01:30:00AM +0100, address@hidden wrote:
> >From 746ccb455b6948e90741d8088c0afceadd56a6eb Mon Sep 17 00:00:00 2001
> From: antrik <address@hidden>
> Date: Thu, 25 Nov 2010 11:49:04 +0100
> Subject: [PATCH] npapi/writelauncher: Prevent script parameter strings from
> escaping shell quoting
>
> Make sure a ' character in the parameter string doesn't escape the shell
> quoting. This is accomplished by replacing it with a '\'' sequence, i.e.
> ending the single quoting, including an explicitely quoted single quote
> character, and starting the quoting again.
>
> As the substitution using boost's string algorithm library is trivial,
> just do it inline it the script writing statements.
> ---
> plugin/npapi/plugin.cpp | 7 ++++++-
> 1 files changed, 6 insertions(+), 1 deletions(-)
>
> diff --git a/plugin/npapi/plugin.cpp b/plugin/npapi/plugin.cpp
> index 42c2859..3dcced5 100644
> --- a/plugin/npapi/plugin.cpp
> +++ b/plugin/npapi/plugin.cpp
> @@ -35,6 +35,7 @@
> #endif
>
> #include <boost/format.hpp>
> +#include <boost/algorithm/string/replace.hpp>
>
> #define MIME_TYPES_HANDLED "application/x-shockwave-flash"
> // The name must be this value to get flash movies that check the
> @@ -968,7 +969,11 @@ create_standalone_launcher(const std::string& page_url,
> const std::string& swf_u
> itEnd = params.end(); it != itEnd; ++it) {
> const std::string& nam = it->first;
> const std::string& val = it->second;
> - saLauncher << "-P '" << nam << "=" << val << "' ";
> + saLauncher << "-P '"
> + << boost::algorithm::replace_all_copy(nam, "'", "'\\''")
> + << "="
> + << boost::algorithm::replace_all_copy(val, "'", "'\\''")
> + << "' ";
> }
>
> saLauncher << "'" << swf_url << "' "
> --
> 1.7.2.3
>
>
> _______________________________________________
> Gnash-dev mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/gnash-dev
--
() Free GIS & Flash consultant/developer
/\ http://strk.keybit.net/services.html