mirror of
https://github.com/bellard/quickjs.git
synced 2024-12-12 09:44:33 +08:00
Fix shell injection bug in std.urlGet (#61)
This commit is contained in:
parent
693449e34e
commit
ae6fa8d3d2
@ -1282,7 +1282,7 @@ static JSValue js_std_file_putByte(JSContext *ctx, JSValueConst this_val,
|
|||||||
|
|
||||||
/* urlGet */
|
/* urlGet */
|
||||||
|
|
||||||
#define URL_GET_PROGRAM "curl -s -i"
|
#define URL_GET_PROGRAM "curl -s -i --"
|
||||||
#define URL_GET_BUF_SIZE 4096
|
#define URL_GET_BUF_SIZE 4096
|
||||||
|
|
||||||
static int http_get_header_line(FILE *f, char *buf, size_t buf_size,
|
static int http_get_header_line(FILE *f, char *buf, size_t buf_size,
|
||||||
@ -1355,16 +1355,22 @@ static JSValue js_std_urlGet(JSContext *ctx, JSValueConst this_val,
|
|||||||
}
|
}
|
||||||
|
|
||||||
js_std_dbuf_init(ctx, &cmd_buf);
|
js_std_dbuf_init(ctx, &cmd_buf);
|
||||||
dbuf_printf(&cmd_buf, "%s ''", URL_GET_PROGRAM);
|
dbuf_printf(&cmd_buf, "%s '", URL_GET_PROGRAM);
|
||||||
len = strlen(url);
|
len = strlen(url);
|
||||||
for(i = 0; i < len; i++) {
|
for(i = 0; i < len; i++) {
|
||||||
c = url[i];
|
switch (c = url[i]) {
|
||||||
if (c == '\'' || c == '\\')
|
case '\'':
|
||||||
|
dbuf_putstr(&cmd_buf, "'\\''");
|
||||||
|
break;
|
||||||
|
case '[': case ']': case '{': case '}': case '\\':
|
||||||
dbuf_putc(&cmd_buf, '\\');
|
dbuf_putc(&cmd_buf, '\\');
|
||||||
|
/* FALLTHROUGH */
|
||||||
|
default:
|
||||||
dbuf_putc(&cmd_buf, c);
|
dbuf_putc(&cmd_buf, c);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
JS_FreeCString(ctx, url);
|
JS_FreeCString(ctx, url);
|
||||||
dbuf_putstr(&cmd_buf, "''");
|
dbuf_putstr(&cmd_buf, "'");
|
||||||
dbuf_putc(&cmd_buf, '\0');
|
dbuf_putc(&cmd_buf, '\0');
|
||||||
if (dbuf_error(&cmd_buf)) {
|
if (dbuf_error(&cmd_buf)) {
|
||||||
dbuf_free(&cmd_buf);
|
dbuf_free(&cmd_buf);
|
||||||
|
Loading…
Reference in New Issue
Block a user