fries/quickjs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix shell injection bug in std.urlGet

Browse source 
Refs: https://github.com/bellard/quickjs/pull/61
This commit is contained in:
Felix S 2024-02-12 10:20:25 +00:00 committed by Ben Noordhuis
parent ef4d8ab2ed
commit ed49e0f39e
1 changed files with 12 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
quickjs-libc.c
View file

@ -1291,7 +1291,7 @@ static JSValue js_std_file_putByte(JSContext *ctx, JSValue this_val,
/* urlGet */ /* urlGet */
#if !defined(__wasi__) #if !defined(__wasi__)
#define URL_GET_PROGRAM "curl -s -i" #define URL_GET_PROGRAM "curl -s -i --"
#define URL_GET_BUF_SIZE 4096 #define URL_GET_BUF_SIZE 4096
static int http_get_header_line(FILE *f, char *buf, size_t buf_size, static int http_get_header_line(FILE *f, char *buf, size_t buf_size,
@ -1364,16 +1364,22 @@ static JSValue js_std_urlGet(JSContext *ctx, JSValue this_val,
} }
js_std_dbuf_init(ctx, &cmd_buf); js_std_dbuf_init(ctx, &cmd_buf);
dbuf_printf(&cmd_buf, "%s ''", URL_GET_PROGRAM); dbuf_printf(&cmd_buf, "%s '", URL_GET_PROGRAM);
len = strlen(url); len = strlen(url);
for(i = 0; i < len; i++) { for(i = 0; i < len; i++) {
c = url[i]; switch (c = url[i]) {
if (c == '\'' || c == '\\') case '\'':
dbuf_putstr(&cmd_buf, "'\\''");
break;
case '[': case ']': case '{': case '}': case '\\':
dbuf_putc(&cmd_buf, '\\'); dbuf_putc(&cmd_buf, '\\');
/* FALLTHROUGH */
default:
dbuf_putc(&cmd_buf, c); dbuf_putc(&cmd_buf, c);
} }
}
JS_FreeCString(ctx, url); JS_FreeCString(ctx, url);
dbuf_putstr(&cmd_buf, "''"); dbuf_putstr(&cmd_buf, "'");
dbuf_putc(&cmd_buf, '\0'); dbuf_putc(&cmd_buf, '\0');
if (dbuf_error(&cmd_buf)) { if (dbuf_error(&cmd_buf)) {
dbuf_free(&cmd_buf); dbuf_free(&cmd_buf);