commit 3f9ce496f04527431a6fd074db2641385ced8aea
parent c26202ce5a017bb46d0db5b309f2a6924196f0a3
Author: Felix S <felix.von.s@posteo.de>
Date: Mon, 12 Feb 2024 10:20:25 +0000
Fix shell injection bug in std.urlGet (#61)
Diffstat:
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/quickjs/quickjs-libc.c b/quickjs/quickjs-libc.c
@@ -1393,7 +1393,7 @@ static JSValue js_std_file_putByte(JSContext *ctx, JSValueConst this_val,
/* urlGet */
-#define URL_GET_PROGRAM "curl -s -i"
+#define URL_GET_PROGRAM "curl -s -i --"
#define URL_GET_BUF_SIZE 4096
static int http_get_header_line(FILE *f, char *buf, size_t buf_size,
@@ -1466,16 +1466,22 @@ static JSValue js_std_urlGet(JSContext *ctx, JSValueConst this_val,
}
js_std_dbuf_init(ctx, &cmd_buf);
- dbuf_printf(&cmd_buf, "%s ''", URL_GET_PROGRAM);
+ dbuf_printf(&cmd_buf, "%s '", URL_GET_PROGRAM);
len = strlen(url);
for(i = 0; i < len; i++) {
- c = url[i];
- if (c == '\'' || c == '\\')
+ switch (c = url[i]) {
+ case '\'':
+ dbuf_putstr(&cmd_buf, "'\\''");
+ break;
+ case '[': case ']': case '{': case '}': case '\\':
dbuf_putc(&cmd_buf, '\\');
- dbuf_putc(&cmd_buf, c);
+ /* FALLTHROUGH */
+ default:
+ dbuf_putc(&cmd_buf, c);
+ }
}
JS_FreeCString(ctx, url);
- dbuf_putstr(&cmd_buf, "''");
+ dbuf_putstr(&cmd_buf, "'");
dbuf_putc(&cmd_buf, '\0');
if (dbuf_error(&cmd_buf)) {
dbuf_free(&cmd_buf);
