net-p2p/verlihub/files/patch-CVE-2008-5706


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

--- src/ctrigger.cpp.orig	2005-04-11 19:18:38.000000000 +0400
+++ src/ctrigger.cpp	2008-12-27 23:28:14.000000000 +0300
@@ -7,6 +7,9 @@
  *   the Free Software Foundation; either version 2 of the License, or     *
  *   (at your option) any later version.                                   *
  ***************************************************************************/
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
 #include "cserverdc.h"
 #include "ctrigger.h"
 #include "cconndc.h"
@@ -44,16 +47,33 @@
 {
 	string buf, filename, sender;
 	string par1, end1, parall;
+	string cmdl;
+
 	if (conn && conn->mpUser)
 	{
+		cmd_line >> cmdl;
+		/* Sanitise user input if we're going to exec anything */
+		if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
+			string cleaned = string();
+			const string toclean = string(";\"'\\`:!${}[]&><|~/");
+
+			for (string::iterator i = cmdl.begin();
+			    i < cmdl.end();
+			    i++) {
+				if (toclean.find(*i) == string::npos)
+					cleaned.append(1, *i);
+			}
+			cmdl = cleaned;
+		}
+
 		int uclass = conn->mpUser->mClass;
 		if ((uclass >= this->mMinClass) &&(uclass <= this->mMaxClass)) {
 
-			if(cmd_line.str().size() > mCommand.size()) {
-				parall.assign(cmd_line.str(),mCommand.size()+1,string::npos);
+			if(cmdl.size() > mCommand.size()) {
+				parall.assign(cmdl,mCommand.size()+1,string::npos);
 			}
-			cmd_line >> par1;
-			end1 = cmd_line.str();
+			par1 = cmdl;
+			end1 = cmdl;
 
 			sender = server.mC.hub_security;
 			if (mSendAs.size()) sender = mSendAs;
@@ -104,14 +124,25 @@
 
 			if (mFlags & eTF_EXECUTE && server.mDBConf.allow_exec) {
 				string command(buf);
-				filename = server.mConfigBaseDir;
-				filename.append("/tmp/trigger.tmp");
-				command.append(" > ");
-				command.append(filename);
+				char buffer[1024];
+				FILE *stream;
+
 				cout << command << endl;
-				system(command.c_str());
 				buf = "";
-				if (!LoadFileInString(filename,buf)) return 0;
+				stream = popen(command.c_str(), "r");
+				if (stream == NULL) {
+					cout << strerror(errno) << std::endl;
+					return 0;
+				} else {
+					while (fgets(buffer, sizeof(buffer),
+					  stream) != NULL)
+                				buf.append(buffer);
+					if (pclose(stream) == -1) {
+						cout << strerror(errno) <<
+						  std::endl;
+						return 0;
+					}
+				}
 			}
 
 			// @CHANGED by dReiska +BEGINS+