Preset names are not escaped / treated as literal #28
Assignees
Labels
bug
Something isn't working
Comments
|
We’ve had SQL injection, but what about regex injection⁈ :) |
|
I'm looking at changing lines 301-303 of bindED.cs to FileInfo[] bindFiles = dirInfo.GetFiles()
.Where(i => Regex.Match(i.Name, $@"^{Regex.Escape(preset ?? string.Empty)}\.[34]\.0\.binds$").Success)
.OrderByDescending(p => p.Name).ToArray(); |
|
The change seems to be working. |
|
I should have just let you do a pull request instead of doing the exact same thing in parallel =p Anyway, the nullable |
|
(fixed next release which I’m probably going to do soon™ in light of this bug) |
|
Fixed locally in the meantime. Thanks. :-) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
DetectBindsFilemethod can reject preset names containing Regex special characters and can return a "No bindings file found" error instead. For example, with my bindings file "T16000M HOTAS (T'kael).4.0.binds" the parenthesis are treated as regex characters rather than as part of the literal prefix name which causes a mismatch. The prefix name needs to be treated literally.The text was updated successfully, but these errors were encountered: