diff options
| author | Felix S <felix.von.s@posteo.de> | 2024-02-12 10:20:25 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-12 11:20:25 +0100 |
| commit | ae6fa8d3d204590ce3647ad847e8e310e662898f (patch) | |
| tree | 1871eabffd75683d0d3f434fb1285567b9999b0a /quickjs-libc.c | |
| parent | 693449e34e84887600471140e3b7ce0c3e9c8032 (diff) | |
| download | quickjs-ae6fa8d3d204590ce3647ad847e8e310e662898f.tar.gz quickjs-ae6fa8d3d204590ce3647ad847e8e310e662898f.zip | |
Fix shell injection bug in std.urlGet (#61)
Diffstat (limited to 'quickjs-libc.c')
| -rw-r--r-- | quickjs-libc.c | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/quickjs-libc.c b/quickjs-libc.c index 42fee03..7eea0d7 100644 --- a/quickjs-libc.c +++ b/quickjs-libc.c @@ -1282,7 +1282,7 @@ static JSValue js_std_file_putByte(JSContext *ctx, JSValueConst this_val, /* urlGet */ -#define URL_GET_PROGRAM "curl -s -i" +#define URL_GET_PROGRAM "curl -s -i --" #define URL_GET_BUF_SIZE 4096 static int http_get_header_line(FILE *f, char *buf, size_t buf_size, @@ -1355,16 +1355,22 @@ static JSValue js_std_urlGet(JSContext *ctx, JSValueConst this_val, } js_std_dbuf_init(ctx, &cmd_buf); - dbuf_printf(&cmd_buf, "%s ''", URL_GET_PROGRAM); + dbuf_printf(&cmd_buf, "%s '", URL_GET_PROGRAM); len = strlen(url); for(i = 0; i < len; i++) { - c = url[i]; - if (c == '\'' || c == '\\') + switch (c = url[i]) { + case '\'': + dbuf_putstr(&cmd_buf, "'\\''"); + break; + case '[': case ']': case '{': case '}': case '\\': dbuf_putc(&cmd_buf, '\\'); - dbuf_putc(&cmd_buf, c); + /* FALLTHROUGH */ + default: + dbuf_putc(&cmd_buf, c); + } } JS_FreeCString(ctx, url); - dbuf_putstr(&cmd_buf, "''"); + dbuf_putstr(&cmd_buf, "'"); dbuf_putc(&cmd_buf, '\0'); if (dbuf_error(&cmd_buf)) { dbuf_free(&cmd_buf); |