Avoid possible command injection

Because we are running cmd.exe here, it is possible to use a malicious URL to execute arbitrary commands on the shell ( e.g. if url=http://my-patch-notes.com/" & del C:\ )

(Triggered by internal security audit and Fortify analysis.)
This commit is contained in:
Daniel Gredler
2018-09-12 16:26:25 -04:00
parent 712b06f8fb
commit 70174d2a98
3 changed files with 42 additions and 0 deletions
@@ -36,6 +36,7 @@ import com.samskivert.util.StringUtil;
import com.threerings.getdown.data.Digest;
import com.threerings.getdown.data.SysProps;
import static com.threerings.getdown.Log.log;
import static com.threerings.getdown.util.StringUtil.couldBeValidUrl;
/**
* The main application entry point for Getdown.
@@ -194,6 +195,11 @@ public class GetdownApp
@Override
protected void showDocument (String url) {
if (!couldBeValidUrl(url)) {
// command injection would be possible if we allowed e.g. spaces and double quotes
log.warning("Invalid document URL.", "url", url);
return;
}
String[] cmdarray;
if (RunAnywhere.isWindows()) {
String osName = System.getProperty("os.name", "");