[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter string
From: |
olafBuddenhagen |
Subject: |
[Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting |
Date: |
Mon, 27 Dec 2010 01:30:00 +0100 |
User-agent: |
Mutt/1.5.20 (2009-06-14) |
>From 746ccb455b6948e90741d8088c0afceadd56a6eb Mon Sep 17 00:00:00 2001
From: antrik <address@hidden>
Date: Thu, 25 Nov 2010 11:49:04 +0100
Subject: [PATCH] npapi/writelauncher: Prevent script parameter strings from
escaping shell quoting
Make sure a ' character in the parameter string doesn't escape the shell
quoting. This is accomplished by replacing it with a '\'' sequence, i.e.
ending the single quoting, including an explicitely quoted single quote
character, and starting the quoting again.
As the substitution using boost's string algorithm library is trivial,
just do it inline it the script writing statements.
---
plugin/npapi/plugin.cpp | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
diff --git a/plugin/npapi/plugin.cpp b/plugin/npapi/plugin.cpp
index 42c2859..3dcced5 100644
--- a/plugin/npapi/plugin.cpp
+++ b/plugin/npapi/plugin.cpp
@@ -35,6 +35,7 @@
#endif
#include <boost/format.hpp>
+#include <boost/algorithm/string/replace.hpp>
#define MIME_TYPES_HANDLED "application/x-shockwave-flash"
// The name must be this value to get flash movies that check the
@@ -968,7 +969,11 @@ create_standalone_launcher(const std::string& page_url,
const std::string& swf_u
itEnd = params.end(); it != itEnd; ++it) {
const std::string& nam = it->first;
const std::string& val = it->second;
- saLauncher << "-P '" << nam << "=" << val << "' ";
+ saLauncher << "-P '"
+ << boost::algorithm::replace_all_copy(nam, "'", "'\\''")
+ << "="
+ << boost::algorithm::replace_all_copy(val, "'", "'\\''")
+ << "' ";
}
saLauncher << "'" << swf_url << "' "
--
1.7.2.3
- [Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting,
olafBuddenhagen <=