Merge pull request #136 from sdgx/patch-notes-url-command-injection

Avoid possible command injection (patch notes URL)
This commit is contained in:
Michael Bayne
2018-09-14 14:35:45 -07:00
committed by GitHub
3 changed files with 42 additions and 0 deletions
@@ -36,6 +36,7 @@ import com.samskivert.util.StringUtil;
import com.threerings.getdown.data.Digest;
import com.threerings.getdown.data.SysProps;
import static com.threerings.getdown.Log.log;
import static com.threerings.getdown.util.StringUtil.couldBeValidUrl;
/**
* The main application entry point for Getdown.
@@ -194,6 +195,11 @@ public class GetdownApp
@Override
protected void showDocument (String url) {
if (!couldBeValidUrl(url)) {
// command injection would be possible if we allowed e.g. spaces and double quotes
log.warning("Invalid document URL.", "url", url);
return;
}
String[] cmdarray;
if (RunAnywhere.isWindows()) {
String osName = System.getProperty("os.name", "");