tyler.durden/notepad-plus-plus
1
0
Fork 0
mirror of https://github.com/notepad-plus-plus/notepad-plus-plus.git synced 2025-07-29 08:44:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

[EU-FOSSA] Enhance external call code to avoid eventual arbitrary commands execution

Browse Source
This commit is contained in:
Don HO 2019-03-10 23:27:05 +01:00
parent a2e9421669
commit 3f5f69c6a6
4 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
PowerEditor/src/NppCommands.cpp
View File

@ -91,8 +91,8 @@ void Notepad_plus::command(int id)
case IDM_FILE_OPEN_CMD: case IDM_FILE_OPEN_CMD:
{ {
Command cmd(TEXT("cmd /K cd /d \"$(CURRENT_DIRECTORY)\"")); Command cmd(TEXT("cmd"));
cmd.run(_pPublicInterface->getHSelf()); cmd.run(_pPublicInterface->getHSelf(), TEXT("$(CURRENT_DIRECTORY)"));
} }
break; break;

4
PowerEditor/src/WinControls/FileBrowser/fileBrowser.cpp
View File

@ -688,9 +688,9 @@ void FileBrowser::popupMenuCmd(int cmdID)
if (::PathFileExists(path.c_str())) if (::PathFileExists(path.c_str()))
{ {
TCHAR cmdStr[1024]; TCHAR cmdStr[1024];
wsprintf(cmdStr, TEXT("cmd /K cd /d \"%s\""), path.c_str()); wsprintf(cmdStr, TEXT("cmd"));
Command cmd(cmdStr); Command cmd(cmdStr);
cmd.run(nullptr); cmd.run(nullptr, path.c_str());
} }
} }
break; break;

10
PowerEditor/src/WinControls/StaticDialog/RunDlg/RunDlg.cpp
View File

@ -167,6 +167,11 @@ void expandNppEnvironmentStrs(const TCHAR *strSrc, TCHAR *stringDest, size_t str
} }
HINSTANCE Command::run(HWND hWnd) HINSTANCE Command::run(HWND hWnd)
{
return run(hWnd, TEXT("."));
}
HINSTANCE Command::run(HWND hWnd, const TCHAR* cwd)
{ {
const int argsIntermediateLen = MAX_PATH*2; const int argsIntermediateLen = MAX_PATH*2;
const int args2ExecLen = CURRENTWORD_MAXLENGTH+MAX_PATH*2; const int args2ExecLen = CURRENTWORD_MAXLENGTH+MAX_PATH*2;
@ -194,7 +199,10 @@ HINSTANCE Command::run(HWND hWnd)
expandNppEnvironmentStrs(cmdIntermediate, cmd2Exec, MAX_PATH, hWnd); expandNppEnvironmentStrs(cmdIntermediate, cmd2Exec, MAX_PATH, hWnd);
expandNppEnvironmentStrs(argsIntermediate, args2Exec, args2ExecLen, hWnd); expandNppEnvironmentStrs(argsIntermediate, args2Exec, args2ExecLen, hWnd);
HINSTANCE res = ::ShellExecute(hWnd, TEXT("open"), cmd2Exec, args2Exec, TEXT("."), SW_SHOW); TCHAR cwd2Exec[MAX_PATH];
expandNppEnvironmentStrs(cwd, cwd2Exec, MAX_PATH, hWnd);
HINSTANCE res = ::ShellExecute(hWnd, TEXT("open"), cmd2Exec, args2Exec, cwd2Exec, SW_SHOW);
// As per MSDN (https://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx) // As per MSDN (https://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx)
// If the function succeeds, it returns a value greater than 32. // If the function succeeds, it returns a value greater than 32.

1
PowerEditor/src/WinControls/StaticDialog/RunDlg/RunDlg.h
View File

@ -43,6 +43,7 @@ public :
explicit Command(TCHAR *cmd) : _cmdLine(cmd){}; explicit Command(TCHAR *cmd) : _cmdLine(cmd){};
explicit Command(generic_string cmd) : _cmdLine(cmd){}; explicit Command(generic_string cmd) : _cmdLine(cmd){};
HINSTANCE run(HWND hWnd); HINSTANCE run(HWND hWnd);
HINSTANCE run(HWND hWnd, const TCHAR* cwd);
protected : protected :
generic_string _cmdLine; generic_string _cmdLine;