diff options
author | Josh Rickmar <jrick@devio.us> | 2012-06-04 10:44:08 -0400 |
---|---|---|
committer | Josh Rickmar <jrick@devio.us> | 2012-06-15 13:33:37 -0400 |
commit | bc435aaddae36051fa8fff0390d35fb6bd390468 (patch) | |
tree | bff182e13f7ac4b7501651dc351068adaa5bb972 | |
parent | c7e96918621b358af82976835b840fc411a7a865 (diff) | |
download | xombrero-bc435aaddae36051fa8fff0390d35fb6bd390468.tar.gz |
Replace "%s" in alias and search_string manually with the encoded
replacement instead of relying on a correct format string. This prevents directly passing a user-defined format string as the first arg to a printf-style function and avoids the format string exploit.
-rw-r--r-- | about.c | 5 | ||||
-rw-r--r-- | xombrero.c | 31 |
2 files changed, 24 insertions, 12 deletions
diff --git a/about.c b/about.c index 5c69a40..f122817 100644 --- a/about.c +++ b/about.c @@ -826,6 +826,7 @@ xtp_handle_sl(struct tab *t, uint8_t cmd, int arg) char delim[3] = { '\0', '\0', '\0' }; char *line, *lt, *enc_search, *uri; char *contents, *tmp; + char **sv; switch (cmd) { case XT_XTP_SL_SET: @@ -882,9 +883,11 @@ xtp_handle_sl(struct tab *t, uint8_t cmd, int arg) search = gtk_entry_get_text(GTK_ENTRY(t->search_entry)); /* static */ enc_search = soup_uri_encode(search, XT_RESERVED_CHARS); - uri = g_strdup_printf(search_string, enc_search); + sv = g_strsplit(search_string, "%s", 2); + uri = g_strjoinv(enc_search, sv); load_uri(t, uri); g_free(enc_search); + g_strfreev(sv); g_free(uri); } diff --git a/xombrero.c b/xombrero.c index 5477b93..ddd6632 100644 --- a/xombrero.c +++ b/xombrero.c @@ -745,6 +745,7 @@ match_alias(char *url_in) struct alias *a; char *arg; char *url_out = NULL, *search, *enc_arg; + char **sv; search = g_strdup(url_in); arg = search; @@ -761,12 +762,14 @@ match_alias(char *url_in) if (a != NULL) { DNPRINTF(XT_D_URL, "match_alias: matched alias %s\n", a->a_name); - if (arg != NULL) { - enc_arg = soup_uri_encode(arg, XT_RESERVED_CHARS); - url_out = g_strdup_printf(a->a_uri, enc_arg); - g_free(enc_arg); - } else - url_out = g_strdup_printf(a->a_uri, ""); + enc_arg = soup_uri_encode(arg, XT_RESERVED_CHARS); + sv = g_strsplit(a->a_uri, "%s", 2); + if (arg != NULL) + url_out = g_strjoinv(enc_arg, sv); + else + url_out = g_strjoinv("", sv); + g_free(enc_arg); + g_strfreev(sv); } done: g_free(search); @@ -780,6 +783,7 @@ guess_url_type(char *url_in) char *url_out = NULL, *enc_search = NULL; int i; char *cwd; + char **sv; /* substitute aliases */ @@ -802,8 +806,10 @@ guess_url_type(char *url_in) if (regexec(&url_re, url_in, 0, NULL, 0)) { /* invalid URI so search instead */ enc_search = soup_uri_encode(url_in, XT_RESERVED_CHARS); - url_out = g_strdup_printf(search_string, enc_search); + sv = g_strsplit(search_string, "%s", 2); + url_out = g_strjoinv(enc_search, sv); g_free(enc_search); + g_strfreev(sv); goto done; } } @@ -814,9 +820,9 @@ guess_url_type(char *url_in) url_out = g_strdup_printf("file://%s", url_in); else { cwd = malloc(PATH_MAX); - if (getcwd(cwd, PATH_MAX) != NULL) { - url_out = g_strdup_printf("file://%s/%s",cwd, url_in); - } + if (getcwd(cwd, PATH_MAX) != NULL) + url_out = g_strdup_printf("file://%s/%s",cwd, + url_in); free(cwd); } } else @@ -3509,6 +3515,7 @@ activate_search_entry_cb(GtkWidget* entry, struct tab *t) const gchar *search = gtk_entry_get_text(GTK_ENTRY(entry)); char *newuri = NULL; gchar *enc_search; + char **sv; DNPRINTF(XT_D_URL, "activate_search_entry_cb: %s\n", search); @@ -3525,8 +3532,10 @@ activate_search_entry_cb(GtkWidget* entry, struct tab *t) t->xtp_meaning = XT_XTP_TAB_MEANING_NORMAL; enc_search = soup_uri_encode(search, XT_RESERVED_CHARS); - newuri = g_strdup_printf(search_string, enc_search); + sv = g_strsplit(search_string, "%s", 2); + newuri = g_strjoinv(enc_search, sv); g_free(enc_search); + g_strfreev(sv); marks_clear(t); load_uri(t, newuri); |