Redefined argument checking for internal raspberry pi camera

domoticz · May 3, 2017 · 2934cff · 2934cff
1 parent db2d5fe
commit 2934cff
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 20 deletions.
diff --git a/main/Helper.cpp b/main/Helper.cpp
@@ -871,16 +871,31 @@ int timeval_subtract (struct timeval *result, struct timeval *x, struct timeval
   return x->tv_sec < y->tv_sec;
 }
 
+const char *szInsecureArgumentOptions[] = {
+	"import",
+	"socket",
+	"process",
+	"os",
+	"|",
+	";",
+	"&",
+	"$",
+	"<",
+	">",
+	NULL
+};
+
 bool IsArgumentSecure(const std::string &arg)
 {
 	std::string larg(arg);
 	std::transform(larg.begin(), larg.end(), larg.begin(), ::tolower);
 
-	return (
-		(larg.find("-c") == std::string::npos)
-		&& (larg.find("import") == std::string::npos)
-		&& (larg.find("socket") == std::string::npos)
-		&& (larg.find("process") == std::string::npos)
-		&& (larg.find("os") == std::string::npos)
-		);
+	int ii = 0;
+	while (szInsecureArgumentOptions[ii] != NULL)
+	{
+		if (larg.find(szInsecureArgumentOptions[ii]) != std::string::npos)
+			return false;
+		ii++;
+	}
+	return true;
 }
diff --git a/main/SQLHelper.cpp b/main/SQLHelper.cpp
@@ -2809,20 +2809,17 @@ void CSQLHelper::Do_Work()
 			else if (itt->_ItemType == TITEM_EXECUTE_SCRIPT)
 			{
 				//start script
-				if (IsArgumentSecure(itt->_sValue))
-				{
-					_log.Log(LOG_STATUS, "Executing script: %s", itt->_ID.c_str());
+				_log.Log(LOG_STATUS, "Executing script: %s", itt->_ID.c_str());
 #ifdef WIN32
-					ShellExecute(NULL, "open", itt->_ID.c_str(), itt->_sValue.c_str(), NULL, SW_SHOWNORMAL);
+				ShellExecute(NULL, "open", itt->_ID.c_str(), itt->_sValue.c_str(), NULL, SW_SHOWNORMAL);
 #else
-					std::string lscript = itt->_ID + " " + itt->_sValue;
-					int ret = system(lscript.c_str());
-					if (ret != 0)
-					{
-						_log.Log(LOG_ERROR, "Error executing script command (%s). returned: %d", itt->_ID.c_str(), ret);
-					}
-#endif
+				std::string lscript = itt->_ID + " " + itt->_sValue;
+				int ret = system(lscript.c_str());
+				if (ret != 0)
+				{
+					_log.Log(LOG_ERROR, "Error executing script command (%s). returned: %d", itt->_ID.c_str(), ret);
 				}
+#endif
 			}
 			else if (itt->_ItemType == TITEM_EMAIL_CAMERA_SNAPSHOT)
 			{

diff --git a/main/WebServer.cpp b/main/WebServer.cpp
@@ -2989,8 +2989,6 @@ namespace http {
 			std::string strparm = szUserDataFolder;
 			if (!script_params.empty())
 			{
-				if (!IsArgumentSecure(script_params))
-					return;
 				if (strparm.size() > 0)
 					strparm += " " + script_params;
 				else