aniani/irssi
1
0
Fork 0
mirror of https://github.com/irssi/irssi.git synced 2024-12-04 14:46:39 -05:00
Code

Remove CR and LF from Perl commands, to make it harder to introduce a security bug

Browse Source 
git-svn-id: http://svn.irssi.org/repos/irssi/trunk@4396 dbcabf3a-b0e7-0310-adc4-f8d773084564
This commit is contained in:
Wouter Coekaerts 2006-12-08 21:38:55 +00:00 committed by coekie
parent 0aca74b6e3
commit f0fb4c19d4
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/perl/perl-common.c
View File

@ -526,6 +526,16 @@ static void perl_script_fill_hash(HV *hv, PERL_SCRIPT_REC *script)
hv_store(hv, "data", 4, new_pv(script->data), 0); hv_store(hv, "data", 4, new_pv(script->data), 0);
} }
static void remove_newlines(char *str)
{
char *writing = str;
for (;*str;str++)
if (*str != '\n' && *str != '\r')
*(writing++) = *str;
*writing = '\0';
}
void perl_command(const char *cmd, SERVER_REC *server, WI_ITEM_REC *item) void perl_command(const char *cmd, SERVER_REC *server, WI_ITEM_REC *item)
{ {
const char *cmdchars; const char *cmdchars;
@ -540,6 +550,14 @@ void perl_command(const char *cmd, SERVER_REC *server, WI_ITEM_REC *item)
sendcmd = g_strdup_printf("%c%s", *cmdchars, cmd); sendcmd = g_strdup_printf("%c%s", *cmdchars, cmd);
} }
/* remove \r and \n from commands,
to make it harder to introduce a security bug in a script */
if(strpbrk(sendcmd, "\r\n")) {
if (sendcmd == cmd)
sendcmd = strdup(cmd);
remove_newlines(sendcmd);
}
signal_emit("send command", 3, sendcmd, server, item); signal_emit("send command", 3, sendcmd, server, item);
if (sendcmd != cmd) g_free(sendcmd); if (sendcmd != cmd) g_free(sendcmd);
} }