[Gnash-dev] [PATCH] npapi/writelauncher: Prevent script parameter strings from escaping shell quoting

[olafBuddenhagen]

>From 746ccb455b6948e90741d8088c0afceadd56a6eb Mon Sep 17 00:00:00 2001
From: antrik <address@hidden>
Date: Thu, 25 Nov 2010 11:49:04 +0100
Subject: [PATCH] npapi/writelauncher: Prevent script parameter strings from 
escaping shell quoting

Make sure a ' character in the parameter string doesn't escape the shell
quoting. This is accomplished by replacing it with a '\'' sequence, i.e.
ending the single quoting, including an explicitely quoted single quote
character, and starting the quoting again.

As the substitution using boost's string algorithm library is trivial,
just do it inline it the script writing statements.
---
 plugin/npapi/plugin.cpp |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/plugin/npapi/plugin.cpp b/plugin/npapi/plugin.cpp
index 42c2859..3dcced5 100644
--- a/plugin/npapi/plugin.cpp
+++ b/plugin/npapi/plugin.cpp
@@ -35,6 +35,7 @@
 #endif
 
 #include <boost/format.hpp>
+#include <boost/algorithm/string/replace.hpp>
 
 #define MIME_TYPES_HANDLED  "application/x-shockwave-flash"
 // The name must be this value to get flash movies that check the
@@ -968,7 +969,11 @@ create_standalone_launcher(const std::string& page_url, 
const std::string& swf_u
         itEnd = params.end(); it != itEnd; ++it) {
         const std::string& nam = it->first; 
         const std::string& val = it->second;
-        saLauncher << "-P '" << nam << "=" << val << "' ";
+        saLauncher << "-P '"
+                   << boost::algorithm::replace_all_copy(nam, "'", "'\\''")
+                   << "="
+                   << boost::algorithm::replace_all_copy(val, "'", "'\\''")
+                   << "' ";
     }
 
     saLauncher << "'" << swf_url << "' "
-- 
1.7.2.3