Permalink
Browse files

Redefined argument checking for internal raspberry pi camera

  • Loading branch information...
gizmocuz committed May 3, 2017
1 parent db2d5fe commit 2934cffe1772475cddf40a4054f67de201b96a44
Showing with 30 additions and 20 deletions.
  1. +22 −7 main/Helper.cpp
  2. +8 −11 main/SQLHelper.cpp
  3. +0 −2 main/WebServer.cpp
@@ -871,16 +871,31 @@ int timeval_subtract (struct timeval *result, struct timeval *x, struct timeval
return x->tv_sec < y->tv_sec;
}
const char *szInsecureArgumentOptions[] = {
"import",
"socket",
"process",
"os",
"|",
";",
"&",
"$",
"<",
">",
NULL
};
bool IsArgumentSecure(const std::string &arg)
{
std::string larg(arg);
std::transform(larg.begin(), larg.end(), larg.begin(), ::tolower);
return (
(larg.find("-c") == std::string::npos)
&& (larg.find("import") == std::string::npos)
&& (larg.find("socket") == std::string::npos)
&& (larg.find("process") == std::string::npos)
&& (larg.find("os") == std::string::npos)
);
int ii = 0;
while (szInsecureArgumentOptions[ii] != NULL)
{
if (larg.find(szInsecureArgumentOptions[ii]) != std::string::npos)
return false;
ii++;
}
return true;
}
@@ -2809,20 +2809,17 @@ void CSQLHelper::Do_Work()
else if (itt->_ItemType == TITEM_EXECUTE_SCRIPT)
{
//start script
if (IsArgumentSecure(itt->_sValue))
{
_log.Log(LOG_STATUS, "Executing script: %s", itt->_ID.c_str());
_log.Log(LOG_STATUS, "Executing script: %s", itt->_ID.c_str());
#ifdef WIN32
ShellExecute(NULL, "open", itt->_ID.c_str(), itt->_sValue.c_str(), NULL, SW_SHOWNORMAL);
ShellExecute(NULL, "open", itt->_ID.c_str(), itt->_sValue.c_str(), NULL, SW_SHOWNORMAL);
#else
std::string lscript = itt->_ID + " " + itt->_sValue;
int ret = system(lscript.c_str());
if (ret != 0)
{
_log.Log(LOG_ERROR, "Error executing script command (%s). returned: %d", itt->_ID.c_str(), ret);
}
#endif
std::string lscript = itt->_ID + " " + itt->_sValue;
int ret = system(lscript.c_str());
if (ret != 0)
{
_log.Log(LOG_ERROR, "Error executing script command (%s). returned: %d", itt->_ID.c_str(), ret);
}
#endif
}
else if (itt->_ItemType == TITEM_EMAIL_CAMERA_SNAPSHOT)
{
@@ -2989,8 +2989,6 @@ namespace http {
std::string strparm = szUserDataFolder;
if (!script_params.empty())
{
if (!IsArgumentSecure(script_params))
return;
if (strparm.size() > 0)
strparm += " " + script_params;
else

0 comments on commit 2934cff

Please sign in to comment.