-
-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Preset names are not escaped / treated as literal #28
Comments
We’ve had SQL injection, but what about regex injection⁈ :) |
I'm looking at changing lines 301-303 of bindED.cs to FileInfo[] bindFiles = dirInfo.GetFiles()
.Where(i => Regex.Match(i.Name, $@"^{Regex.Escape(preset ?? string.Empty)}\.[34]\.0\.binds$").Success)
.OrderByDescending(p => p.Name).ToArray(); |
The change seems to be working.
|
I should have just let you do a pull request instead of doing the exact same thing in parallel =p Anyway, the nullable |
(fixed next release which I’m probably going to do soon™ in light of this bug) |
Fixed locally in the meantime. Thanks. :-) |
The
DetectBindsFile
method can reject preset names containing Regex special characters and can return a "No bindings file found" error instead. For example, with my bindings file "T16000M HOTAS (T'kael).4.0.binds" the parenthesis are treated as regex characters rather than as part of the literal prefix name which causes a mismatch. The prefix name needs to be treated literally.The text was updated successfully, but these errors were encountered: