head	1.2;
access;
symbols;
locks; strict;
comment	@# @;


1.2
date	2005.10.09.10.22.50;	author novel;	state dead;
branches;
next	1.1;

1.1
date	2005.09.26.11.38.08;	author novel;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update to 0.5.5.
@
text
@--- src/wzd_mod.c.orig	2005-09-26 09:34:42.000000000 +0200
+++ src/wzd_mod.c	2005-09-26 09:46:41.000000000 +0200
@@@@ -102,6 +102,7 @@@@
 } protocol_handler_t;
 
 static int _hook_print_file(const char *filename, wzd_context_t *context);
+void _cleanup_shell_command(char * buffer, size_t length);
 
 static protocol_handler_t * proto_handler_list=NULL;
 static unsigned int _reply_code;
@@@@ -378,6 +379,8 @@@@
   {
     *(buffer+l_command++) = ' ';
     (void)wzd_strncpy(buffer + l_command, buffer_args, sizeof(buffer) - l_command - 1);
+    /* SECURITY filter buffer for shell special characters ! */
+    _cleanup_shell_command(buffer,sizeof(buffer));
     if ( (command_output = popen(buffer,"r")) == NULL ) {
       out_log(LEVEL_HIGH,"Hook '%s': unable to popen\n",hook->external_command);
       return 1;
@@@@ -438,6 +441,8 @@@@
   else
   {
 /*    *(buffer+l_command++) = ' ';*/
+    /* SECURITY filter buffer for shell special characters ! */
+    _cleanup_shell_command(buffer,sizeof(buffer));
     if ( (command_output = popen(buffer,"r")) == NULL ) {
       out_log(LEVEL_HIGH,"Hook '%s': unable to popen\n",hook->external_command);
       return 1;
@@@@ -733,6 +738,8 @@@@
 }
 
 
+/*************** STATIC ****************/
+
 static int _hook_print_file(const char *filename, wzd_context_t *context)
 {
   wzd_cache_t * fp;
@@@@ -765,3 +772,24 @@@@
 
   return 0;
 }
+
+void _cleanup_shell_command(char * buffer, size_t length)
+{
+  const char * specials = "$\\|;!`()'\"#.,:*?{}[]&<>-~";
+  size_t i,j;
+  char * buf2;
+
+  buf2 = wzd_malloc(length);
+
+  for (i=0,j=0; buffer[i]!='\0' && i<length && j<length; i++,j++) {
+    if (strchr(specials,buffer[i]) != NULL) {
+      if (j+1 >= length) { buf2[j]='\0'; break; }
+      buf2[j++] = '\\';
+    }
+    buf2[j] = buffer[i];
+  }
+
+  wzd_strncpy(buffer,buf2,length);
+  wzd_free(buf2);
+}
+
@


1.1
log
@Fix insecure use of popen().

Obtained from:	wzdftpd-security maillist
@
text
@@

