Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Redefined argument checking for internal raspberry pi camera
- Loading branch information
Showing
with
30 additions
and
20 deletions.
-
+22
−7
main/Helper.cpp
-
+8
−11
main/SQLHelper.cpp
-
+0
−2
main/WebServer.cpp
|
@@ -871,16 +871,31 @@ int timeval_subtract (struct timeval *result, struct timeval *x, struct timeval |
|
|
return x->tv_sec < y->tv_sec; |
|
|
} |
|
|
|
|
|
const char *szInsecureArgumentOptions[] = { |
|
|
"import", |
|
|
"socket", |
|
|
"process", |
|
|
"os", |
|
|
"|", |
|
|
";", |
|
|
"&", |
|
|
"$", |
|
|
"<", |
|
|
">", |
|
|
NULL |
|
|
}; |
|
|
|
|
|
bool IsArgumentSecure(const std::string &arg) |
|
|
{ |
|
|
std::string larg(arg); |
|
|
std::transform(larg.begin(), larg.end(), larg.begin(), ::tolower); |
|
|
|
|
|
return ( |
|
|
(larg.find("-c") == std::string::npos) |
|
|
&& (larg.find("import") == std::string::npos) |
|
|
&& (larg.find("socket") == std::string::npos) |
|
|
&& (larg.find("process") == std::string::npos) |
|
|
&& (larg.find("os") == std::string::npos) |
|
|
); |
|
|
int ii = 0; |
|
|
while (szInsecureArgumentOptions[ii] != NULL) |
|
|
{ |
|
|
if (larg.find(szInsecureArgumentOptions[ii]) != std::string::npos) |
|
|
return false; |
|
|
ii++; |
|
|
} |
|
|
return true; |
|
|
}
|
|
@@ -2809,20 +2809,17 @@ void CSQLHelper::Do_Work() |
|
|
else if (itt->_ItemType == TITEM_EXECUTE_SCRIPT) |
|
|
{ |
|
|
//start script |
|
|
if (IsArgumentSecure(itt->_sValue)) |
|
|
{ |
|
|
_log.Log(LOG_STATUS, "Executing script: %s", itt->_ID.c_str()); |
|
|
_log.Log(LOG_STATUS, "Executing script: %s", itt->_ID.c_str()); |
|
|
#ifdef WIN32 |
|
|
ShellExecute(NULL, "open", itt->_ID.c_str(), itt->_sValue.c_str(), NULL, SW_SHOWNORMAL); |
|
|
ShellExecute(NULL, "open", itt->_ID.c_str(), itt->_sValue.c_str(), NULL, SW_SHOWNORMAL); |
|
|
#else |
|
|
std::string lscript = itt->_ID + " " + itt->_sValue; |
|
|
int ret = system(lscript.c_str()); |
|
|
if (ret != 0) |
|
|
{ |
|
|
_log.Log(LOG_ERROR, "Error executing script command (%s). returned: %d", itt->_ID.c_str(), ret); |
|
|
} |
|
|
#endif |
|
|
std::string lscript = itt->_ID + " " + itt->_sValue; |
|
|
int ret = system(lscript.c_str()); |
|
|
if (ret != 0) |
|
|
{ |
|
|
_log.Log(LOG_ERROR, "Error executing script command (%s). returned: %d", itt->_ID.c_str(), ret); |
|
|
} |
|
|
#endif |
|
|
} |
|
|
else if (itt->_ItemType == TITEM_EMAIL_CAMERA_SNAPSHOT) |
|
|
{ |
|
|
|
@@ -2989,8 +2989,6 @@ namespace http { |
|
|
std::string strparm = szUserDataFolder; |
|
|
if (!script_params.empty()) |
|
|
{ |
|
|
if (!IsArgumentSecure(script_params)) |
|
|
return; |
|
|
if (strparm.size() > 0) |
|
|
strparm += " " + script_params; |
|
|
else |
|
|