about summary refs log tree commit diff stats
diff options
context:
space:
mode:
authorJosh Rickmar <jrick@devio.us>2012-06-04 10:44:08 -0400
committerJosh Rickmar <jrick@devio.us>2012-06-15 13:33:37 -0400
commitbc435aaddae36051fa8fff0390d35fb6bd390468 (patch)
treebff182e13f7ac4b7501651dc351068adaa5bb972
parentc7e96918621b358af82976835b840fc411a7a865 (diff)
downloadxombrero-bc435aaddae36051fa8fff0390d35fb6bd390468.tar.gz
Replace "%s" in alias and search_string manually with the encoded
replacement instead of relying on a correct format string.  This
prevents directly passing a user-defined format string as the first
arg to a printf-style function and avoids the format string exploit.
-rw-r--r--about.c5
-rw-r--r--xombrero.c31
2 files changed, 24 insertions, 12 deletions
diff --git a/about.c b/about.c
index 5c69a40..f122817 100644
--- a/about.c
+++ b/about.c
@@ -826,6 +826,7 @@ xtp_handle_sl(struct tab *t, uint8_t cmd, int arg)
 	char			delim[3] = { '\0', '\0', '\0' };
 	char			*line, *lt, *enc_search, *uri;
 	char			*contents, *tmp;
+	char			**sv;
 
 	switch (cmd) {
 	case XT_XTP_SL_SET:
@@ -882,9 +883,11 @@ xtp_handle_sl(struct tab *t, uint8_t cmd, int arg)
 
 	search = gtk_entry_get_text(GTK_ENTRY(t->search_entry)); /* static */
 	enc_search = soup_uri_encode(search, XT_RESERVED_CHARS);
-	uri = g_strdup_printf(search_string, enc_search);
+	sv = g_strsplit(search_string, "%s", 2);
+	uri = g_strjoinv(enc_search, sv);
 	load_uri(t, uri);
 	g_free(enc_search);
+	g_strfreev(sv);
 	g_free(uri);
 }
 
diff --git a/xombrero.c b/xombrero.c
index 5477b93..ddd6632 100644
--- a/xombrero.c
+++ b/xombrero.c
@@ -745,6 +745,7 @@ match_alias(char *url_in)
 	struct alias		*a;
 	char			*arg;
 	char			*url_out = NULL, *search, *enc_arg;
+	char			**sv;
 
 	search = g_strdup(url_in);
 	arg = search;
@@ -761,12 +762,14 @@ match_alias(char *url_in)
 	if (a != NULL) {
 		DNPRINTF(XT_D_URL, "match_alias: matched alias %s\n",
 		    a->a_name);
-		if (arg != NULL) {
-			enc_arg = soup_uri_encode(arg, XT_RESERVED_CHARS);
-			url_out = g_strdup_printf(a->a_uri, enc_arg);
-			g_free(enc_arg);
-		} else
-			url_out = g_strdup_printf(a->a_uri, "");
+		enc_arg = soup_uri_encode(arg, XT_RESERVED_CHARS);
+		sv = g_strsplit(a->a_uri, "%s", 2);
+		if (arg != NULL)
+			url_out = g_strjoinv(enc_arg, sv);
+		else
+			url_out = g_strjoinv("", sv);
+		g_free(enc_arg);
+		g_strfreev(sv);
 	}
 done:
 	g_free(search);
@@ -780,6 +783,7 @@ guess_url_type(char *url_in)
 	char			*url_out = NULL, *enc_search = NULL;
 	int			i;
 	char			*cwd;
+	char			**sv;
 
 
 	/* substitute aliases */
@@ -802,8 +806,10 @@ guess_url_type(char *url_in)
 		if (regexec(&url_re, url_in, 0, NULL, 0)) {
 			/* invalid URI so search instead */
 			enc_search = soup_uri_encode(url_in, XT_RESERVED_CHARS);
-			url_out = g_strdup_printf(search_string, enc_search);
+			sv = g_strsplit(search_string, "%s", 2);
+			url_out = g_strjoinv(enc_search, sv);
 			g_free(enc_search);
+			g_strfreev(sv);
 			goto done;
 		}
 	}
@@ -814,9 +820,9 @@ guess_url_type(char *url_in)
 			url_out = g_strdup_printf("file://%s", url_in);
 		else {
 			cwd = malloc(PATH_MAX);
-			if (getcwd(cwd, PATH_MAX) != NULL) {
-				url_out = g_strdup_printf("file://%s/%s",cwd, url_in);
-			}
+			if (getcwd(cwd, PATH_MAX) != NULL)
+				url_out = g_strdup_printf("file://%s/%s",cwd,
+				    url_in);
 			free(cwd);
 		}
 	} else
@@ -3509,6 +3515,7 @@ activate_search_entry_cb(GtkWidget* entry, struct tab *t)
 	const gchar		*search = gtk_entry_get_text(GTK_ENTRY(entry));
 	char			*newuri = NULL;
 	gchar			*enc_search;
+	char			**sv;
 
 	DNPRINTF(XT_D_URL, "activate_search_entry_cb: %s\n", search);
 
@@ -3525,8 +3532,10 @@ activate_search_entry_cb(GtkWidget* entry, struct tab *t)
 	t->xtp_meaning = XT_XTP_TAB_MEANING_NORMAL;
 
 	enc_search = soup_uri_encode(search, XT_RESERVED_CHARS);
-	newuri = g_strdup_printf(search_string, enc_search);
+	sv = g_strsplit(search_string, "%s", 2);
+	newuri = g_strjoinv(enc_search, sv);
 	g_free(enc_search);
+	g_strfreev(sv);
 
 	marks_clear(t);
 	load_uri(t, newuri);