misc/openoffice2/patches/patch-cg


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

$NetBSD: patch-cg,v 1.2 2007/04/02 01:25:49 hira Exp $

Security fixes for CVE-2007-0239.  This has been fixed in OOo 2.2.

--- shell/source/unix/exec/shellexec.cxx.orig	2006-12-02 02:57:03.000000000 +0900
+++ shell/source/unix/exec/shellexec.cxx	2007-04-02 10:07:28.000000000 +0900
@@ -52,10 +52,6 @@
 #include <osl/file.hxx>
 #endif
 
-#ifndef _RTL_STRBUF_HXX_
-#include <rtl/strbuf.hxx>
-#endif
-
 #ifndef _RTL_USTRBUF_HXX_
 #include <rtl/ustrbuf.hxx>
 #endif
@@ -124,6 +120,20 @@
     }
 }
 
+void escapeForShell( rtl::OStringBuffer & rBuffer, const rtl::OString & rURL)
+{
+    sal_Int32 nmax = rURL.getLength();
+    for(sal_Int32 n=0; n < nmax; ++n)
+    {
+        // escape every non alpha numeric characters (excluding a few "known good") by prepending a '\'
+        sal_Char c = rURL[n];
+        if( ( c < 'A' || c > 'Z' ) && ( c < 'a' || c > 'z' ) && ( c < '0' || c > '9' )  && c != '/' && c != '.' )
+            rBuffer.append( '\\' );
+        
+        rBuffer.append( c );
+    }
+}
+
 //-----------------------------------------------------------------------------------------
 // 
 //-----------------------------------------------------------------------------------------
@@ -208,7 +218,7 @@
         OString aTmp = OUStringToOString(aProgram, osl_getThreadTextEncoding());
         nIndex = aTmp.lastIndexOf('/');
         if (nIndex > 0)
-            aBuffer.append(aTmp.copy(0, nIndex+1));
+            escapeForShell(aBuffer, aTmp.copy(0, nIndex+1));
             
         // Respect the desktop environment - if there is an executable named 
         // <desktop-environement-is>-open-url, pass the url to this one instead
@@ -236,21 +246,19 @@
              
         aBuffer.append("open-url");
 #endif
-        aBuffer.append(" \'");
-        aBuffer.append(OUStringToOString(aURL, osl_getThreadTextEncoding()));
-        aBuffer.append("\'");
+        aBuffer.append(" ");
+        escapeForShell(aBuffer, OUStringToOString(aURL, osl_getThreadTextEncoding()));
         
         if ( pDesktopLaunch && *pDesktopLaunch )
         {
             aLaunchBuffer.append( pDesktopLaunch );
-            aLaunchBuffer.append( " \'" );
-            aLaunchBuffer.append(OUStringToOString(aURL, osl_getThreadTextEncoding()));
-            aLaunchBuffer.append( "\'" );
+            aLaunchBuffer.append(" ");
+            escapeForShell(aLaunchBuffer, OUStringToOString(aURL, osl_getThreadTextEncoding()));
         }
     } else {
-        aBuffer.append(OUStringToOString(aCommand, osl_getThreadTextEncoding()));
+        escapeForShell(aBuffer, OUStringToOString(aCommand, osl_getThreadTextEncoding()));
         aBuffer.append(" ");
-        aBuffer.append(OUStringToOString(aParameter, osl_getThreadTextEncoding()));
+        escapeForShell(aBuffer, OUStringToOString(aParameter, osl_getThreadTextEncoding()));
     }
     
     // Prefer DESKTOP_LAUNCH when available