2013-10-11 Ramon Novoa <rnovoa@artica.es>

* src/expand_command.cc: Remove more problematic characters from the parameters as suggested by Robert van Hamburg (xistence). git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@8890 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
2013-10-11 11:16:38 +00:00 · 2013-10-11 11:16:38 +00:00 · 4eddb522f4
parent 4af53ca3ad
commit 4eddb522f4
2 changed files with 21 additions and 6 deletions
--- a/extras/anytermd/ChangeLog
+++ b/extras/anytermd/ChangeLog
@ -1,3 +1,9 @@
+2013-10-11  Ramon Novoa  <rnovoa@artica.es>
+
+	* src/expand_command.cc: Remove more problematic characters
+	  from the parameters as suggested by Robert van Hamburg
+	  (xistence).
+
 2013-10-10  Ramon Novoa  <rnovoa@artica.es>

 	* src/expand_command.cc: Improved injection detection. Thanks to
--- a/extras/anytermd/src/expand_command.cc
+++ b/extras/anytermd/src/expand_command.cc
@ -24,15 +24,24 @@ using namespace std;

 string safe_param (string param)
 {
+	string safe_string = "";

-	// Remove leading backticks and blanks
-	while (!param.empty() && (param.at(0) == '`' ||
-	                          param.at(0) == '\t'||
-	                          param.at(0) == ' ')) {
-	    param.erase(0);
+	// Remove problematic characters
+	for (unsigned int i = 0; i < param.size(); i++){
+		if (param[i] == '<' ||
+		    param[i] == '>' ||
+		    param[i] == '|' ||
+		    param[i] == '`' ||
+		    param[i] == '$' ||
+		    param[i] == ';' ||
+		    param[i] == '&') {
+			continue;
+		}
+
+		safe_string += param[i];
 	}

-	return param;
+	return safe_string;
 }

 // Expand command string: