From ed49e0f39e05b2fa87b122369d66cbedd242ed24 Mon Sep 17 00:00:00 2001 From: Felix S Date: Mon, 12 Feb 2024 10:20:25 +0000 Subject: [PATCH] Fix shell injection bug in std.urlGet Refs: https://github.com/bellard/quickjs/pull/61 --- quickjs-libc.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/quickjs-libc.c b/quickjs-libc.c index b3e9406..3a12124 100644 --- a/quickjs-libc.c +++ b/quickjs-libc.c @@ -1291,7 +1291,7 @@ static JSValue js_std_file_putByte(JSContext *ctx, JSValue this_val, /* urlGet */ #if !defined(__wasi__) -#define URL_GET_PROGRAM "curl -s -i" +#define URL_GET_PROGRAM "curl -s -i --" #define URL_GET_BUF_SIZE 4096 static int http_get_header_line(FILE *f, char *buf, size_t buf_size, @@ -1364,16 +1364,22 @@ static JSValue js_std_urlGet(JSContext *ctx, JSValue this_val, } js_std_dbuf_init(ctx, &cmd_buf); - dbuf_printf(&cmd_buf, "%s ''", URL_GET_PROGRAM); + dbuf_printf(&cmd_buf, "%s '", URL_GET_PROGRAM); len = strlen(url); for(i = 0; i < len; i++) { - c = url[i]; - if (c == '\'' || c == '\\') + switch (c = url[i]) { + case '\'': + dbuf_putstr(&cmd_buf, "'\\''"); + break; + case '[': case ']': case '{': case '}': case '\\': dbuf_putc(&cmd_buf, '\\'); - dbuf_putc(&cmd_buf, c); + /* FALLTHROUGH */ + default: + dbuf_putc(&cmd_buf, c); + } } JS_FreeCString(ctx, url); - dbuf_putstr(&cmd_buf, "''"); + dbuf_putstr(&cmd_buf, "'"); dbuf_putc(&cmd_buf, '\0'); if (dbuf_error(&cmd_buf)) { dbuf_free(&cmd_buf);