Explorar el Código

prevent shell special chars injection in Sys.command arguments

Nicolas Cannasse hace 11 años
padre
commit
22b7e226ef
Se han modificado 3 ficheros con 6 adiciones y 6 borrados
  1. 2 2
      std/cpp/_std/Sys.hx
  2. 2 2
      std/neko/_std/Sys.hx
  3. 2 2
      std/php/_std/Sys.hx

+ 2 - 2
std/cpp/_std/Sys.hx

@@ -85,14 +85,14 @@
 		var ok = true;
 		for( i in 0...arg.length )
 			switch( arg.charCodeAt(i) ) {
-			case 32, 34: // [space] "
+			case ' '.code, '\t'.code, '"'.code, '&'.code, '|'.code, '<'.code, '>'.code, '#'.code , ';'.code, '*'.code, '?'.code, '('.code, ')'.code, '{'.code, '}'.code, '$'.code:
 				ok = false;
 			case 0, 13, 10: // [eof] [cr] [lf]
 				arg = arg.substr(0,i);
 			}
 		if( ok )
 			return arg;
-		return '"'+arg.split('"').join('\\"')+'"';
+		return '"'+arg.split('\\').join("\\\\").split('"').join('\\"')+'"';
 	}
 
 	public static function command( cmd : String, ?args : Array<String> ) : Int {

+ 2 - 2
std/neko/_std/Sys.hx

@@ -95,14 +95,14 @@
 		var ok = true;
 		for( i in 0...arg.length )
 			switch( arg.charCodeAt(i) ) {
-			case 32, 34: // [space] "
+			case ' '.code, '\t'.code, '"'.code, '&'.code, '|'.code, '<'.code, '>'.code, '#'.code , ';'.code, '*'.code, '?'.code, '('.code, ')'.code, '{'.code, '}'.code, '$'.code:
 				ok = false;
 			case 0, 13, 10: // [eof] [cr] [lf]
 				arg = arg.substr(0,i);
 			}
 		if( ok )
 			return arg;
-		return '"'+arg.split('"').join('\\"')+'"';
+		return '"'+arg.split('\\').join("\\\\").split('"').join('\\"')+'"';
 	}
 
 	public static function command( cmd : String, ?args : Array<String> ) : Int {

+ 2 - 2
std/php/_std/Sys.hx

@@ -73,14 +73,14 @@
 		var ok = true;
 		for( i in 0...arg.length )
 			switch( arg.charCodeAt(i) ) {
-			case 32, 34: // [space] "
+			case ' '.code, '\t'.code, '"'.code, '&'.code, '|'.code, '<'.code, '>'.code, '#'.code , ';'.code, '*'.code, '?'.code, '('.code, ')'.code, '{'.code, '}'.code, '$'.code:
 				ok = false;
 			case 0, 13, 10: // [eof] [cr] [lf]
 				arg = arg.substr(0,i);
 			}
 		if( ok )
 			return arg;
-		return '"'+arg.split('"').join('\\"')+'"';
+		return '"'+arg.split('\\').join("\\\\").split('"').join('\\"')+'"';
 	}
 
 	public static function command( cmd : String, ?args : Array<String> ) : Int {