Sanitize inputs BEFORE constructing a command string

author: Joseph Hunkeler <jhunkeler@gmail.com> 2019-12-31 01:57:13 -0500
committer: Joseph Hunkeler <jhunkeler@gmail.com> 2019-12-31 01:57:13 -0500
commit: 553c5233d35b7648045a928004fdfc05b4e0d965 (patch)
tree: 6afb95cfe8ef1252e8d9619984ca754c7ddc2881
parent: 96145d5fdc0d695414f200c2afa372818f4857df (diff)
download: spmc-553c5233d35b7648045a928004fdfc05b4e0d965.tar.gz
4 files changed, 72 insertions, 10 deletions
diff --git a/src/archive.c b/src/archive.c
index 1e62abe..ef89c3a 100644
--- a/src/archive.c
+++ b/src/archive.c
@@ -11,12 +11,31 @@
  * @param destination where to extract file to (must exist)
  * @return
  */
-int tar_extract_file(const char *archive, const char* filename, const char *destination) {
+int tar_extract_file(const char *_archive, const char* _filename, const char *_destination) {
     Process *proc = NULL;
     int status;
     char cmd[PATH_MAX];
+    char *archive = strdup(_archive);
+    if (!archive) {
+        fprintf(SYSERROR);
+        return -1;
+    }
+    char *filename = strdup(_filename);
+    if (!filename) {
+        fprintf(SYSERROR);
+        return -1;
+    }
+    char *destination = strdup(_destination);
+    if (!destination) {
+        fprintf(SYSERROR);
+        return -1;
+    }
+
+    strchrdel(archive, "&;|");
+    strchrdel(destination, "&;|");
+    strchrdel(filename, "&;|");
 
-    sprintf(cmd, "tar xf %s -C %s %s 2>&1", archive, destination, filename);
+    sprintf(cmd, "tar xf \"%s\" -C \"%s\" \"%s\" 2>&1", archive, destination, filename);
     if (exists(archive) != 0) {
         fprintf(stderr, "%s :: ", archive);
         fprintf(SYSERROR);
@@ -30,8 +49,11 @@ int tar_extract_file(const char *archive, const char* filename, const char *dest
     }
 
     status = proc->returncode;
-    shell_free(proc);
 
+    shell_free(proc);
+    free(archive);
+    free(filename);
+    free(destination);
     return status;
 }
 
diff --git a/src/fs.c b/src/fs.c
index bedfec1..1ee7901 100644
--- a/src/fs.c
+++ b/src/fs.c
@@ -294,9 +294,11 @@ int rsync(const char *_args, const char *_source, const char *_destination) {
         strcat(args_combined, _args);
     }
 
+    strchrdel(args_combined, "&;|");
+    strchrdel(source, "&;|");
+    strchrdel(destination, "&;|");
+
     snprintf(cmd, PATH_MAX, "rsync %s \"%s\" \"%s\" 2>&1", args_combined, source, destination);
-    // sanitize command
-    strchrdel(cmd, "&;|");
     shell(&proc, SHELL_OUTPUT, cmd);
     if (!proc) {
         if (args) {
diff --git a/src/internal_cmd.c b/src/internal_cmd.c
index 3801fda..f8a9701 100644
--- a/src/internal_cmd.c
+++ b/src/internal_cmd.c
@@ -10,13 +10,23 @@ static char *internal_commands[] = {
         "mkprefixbin", "generate prefix manifest (binary)",
         "mkprefixtext", "generate prefix manifest (text)",
         "rpath_set", "modify binary RPATH",
+        "rpath_autoset", "determine nearest lib directory and set RPATH",
         NULL, NULL,
 };
 
+/**
+ *
+ */
 void mkprefix_interface_usage(void) {
     printf("usage: mkprefix[bin|text] {output_file} {dir} {prefix ...}\n");
 }
 
+/**
+ * Create prefix manifests from the CLI
+ * @param argc
+ * @param argv
+ * @return return value of `prefixes_write`
+ */
 int mkprefix_interface(int argc, char **argv) {
     char *command = argv[0];
     char *outfile = argv[1];
@@ -78,10 +88,10 @@ void rpath_set_interface_usage(void) {
 }
 
 /**
- *
+ * Set a RPATH from the CLI
  * @param argc
  * @param argv
- * @return
+ * @return return value of `rpath_set`
  */
 int rpath_set_interface(int argc, char **argv) {
     if (argc < 3) {
@@ -98,6 +108,32 @@ int rpath_set_interface(int argc, char **argv) {
 }
 
 /**
+ *
+ */
+void rpath_autoset_interface_usage(void) {
+    printf("usage: rpath_autoset {file} {rpath}\n");
+}
+
+/**
+ * Set a RPATH automatically from the CLI
+ * @param argc
+ * @param argv
+ * @return return value of `rpath_autoset`
+ */
+int rpath_autoset_interface(int argc, char **argv) {
+    if (argc < 2) {
+        rpath_autoset_interface_usage();
+        return -1;
+    }
+    char *filename = argv[1];
+    int result = rpath_autoset(filename);
+    if (result < 0) {
+        fprintf(SYSERROR);
+    }
+    return result;
+}
+
+/**
  * Show a listing of valid internal commands
  */
 void internal_command_list(void) {
diff --git a/src/relocation.c b/src/relocation.c
index 473624a..1ba95d5 100644
--- a/src/relocation.c
+++ b/src/relocation.c
@@ -296,12 +296,14 @@ int relocate(const char *_filename, const char *_oldstr, const char *_newstr) {
     char *filename = strdup(_filename);
     char cmd[PATH_MAX];
 
+    // sanitize command
+    strchrdel(oldstr, "&;|");
+    strchrdel(newstr, "&;|");
+    strchrdel(filename, "&;|");
+
     memset(cmd, '\0', sizeof(cmd));
     sprintf(cmd, "reloc \"%s\" \"%s\" \"%s\" \"%s\" 2>&1", oldstr, newstr, filename, filename);
 
-    // sanitize command
-    strchrdel(cmd, "&;|");
-
     shell(&proc, SHELL_OUTPUT, cmd);
     if (!proc) {
         free(oldstr);
author	Joseph Hunkeler <jhunkeler@gmail.com>	2019-12-31 01:57:13 -0500
committer	Joseph Hunkeler <jhunkeler@gmail.com>	2019-12-31 01:57:13 -0500
commit	553c5233d35b7648045a928004fdfc05b4e0d965 (patch)
tree	6afb95cfe8ef1252e8d9619984ca754c7ddc2881
parent	96145d5fdc0d695414f200c2afa372818f4857df (diff)
download	spmc-553c5233d35b7648045a928004fdfc05b4e0d965.tar.gz