nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Escape special shell chars to avoid their interpretation (bug #1044864).

Browse Source
This commit is contained in:
Michal Čihař
2004-10-12 12:22:52 +00:00
parent ff74257209
commit 1d170eefbf
2 changed files with 39 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ChangeLog
View File

@@ -10,6 +10,8 @@ $Source$
to it. to it.
* libraries/transformations.lib.php: Strip slashes to behave like * libraries/transformations.lib.php: Strip slashes to behave like
documentation says. documentation says.
* libraries/transformations/text_plain__external.inc.php: Escape special
shell chars to avoid their interpretation (bug #1044864).
2004-10-11 Marc Delisle <lem9@users.sourceforge.net> 2004-10-11 Marc Delisle <lem9@users.sourceforge.net>
* Documentation.html: typos and XHTML validity, thanks to Cedric Corazza * Documentation.html: typos and XHTML validity, thanks to Cedric Corazza

41
libraries/transformations/text_plain__external.inc.php
View File

@@ -2,10 +2,43 @@
/* $Id$ */ /* $Id$ */
// vim: expandtab sw=4 ts=4 sts=4: // vim: expandtab sw=4 ts=4 sts=4:
function PMA_EscapeShellArg($string, $prepend = '\'') { function PMA_EscapeShellArg($string) {
return $prepend . ereg_replace("'", "'\\''", $string) . $prepend; return '\'' . str_replace('\'', '\\\'', $string) . '\'';
} }
function PMA_SecureShellArgs($s) {
$len = strlen($s);
$inside_single = FALSE;
$inside_double = FALSE;
for($i = 0; $i < $len; $i++) {
if (!$inside_double && $s[$i] == '\'' && ($i == 0 || $s[$i -1] != '\\')) {
$inside_single = ! $inside_single;
continue;
}
if (!$inside_single && $s[$i] == '"' && ($i == 0 || $s[$i -1] != '\\')) {
$inside_double = ! $inside_double;
continue;
}
// escape shell special chars in we're not inside quotes
if (!$inside_single && !$inside_double && ($i == 0 || $s[$i -1] != '\\')) {
if (strstr('><$`|;&', $s[$i])) {
$s = substr($s, 0, $i) . '\\' . substr($s, $i);
$i++;
continue;
}
}
// in double quotes we need to escape more
if ($inside_double) {
if (strstr('$`', $s[$i])) {
$s = substr($s, 0, $i) . '\\' . substr($s, $i);
$i++;
}
}
}
return $s;
}
function PMA_transformation_text_plain__external_nowrap($options = array()) { function PMA_transformation_text_plain__external_nowrap($options = array()) {
if (!isset($options[3]) || $options[3] == '') { if (!isset($options[3]) || $options[3] == '') {
$nowrap = true; $nowrap = true;
@@ -28,7 +61,7 @@ function PMA_transformation_text_plain__external($buffer, $options = array(), $m
$allowed_programs[0] = '/usr/local/bin/tidy'; $allowed_programs[0] = '/usr/local/bin/tidy';
$allowed_programs[1] = '/usr/local/bin/validate'; $allowed_programs[1] = '/usr/local/bin/validate';
if (!isset($options[0]) || $options[0] == '') { if (!isset($options[0]) || $options[0] == '' || !isset($allowed_programs[$options[0]])) {
$program = $allowed_programs[0]; $program = $allowed_programs[0];
} else { } else {
$program = $allowed_programs[$options[0]]; $program = $allowed_programs[$options[0]];
@@ -48,7 +81,7 @@ function PMA_transformation_text_plain__external($buffer, $options = array(), $m
$options[3] = 1; $options[3] = 1;
} }
$cmdline = 'echo ' . PMA_EscapeShellArg($buffer) . ' | ' . $program . ' ' . PMA_EscapeShellArg($poptions, ''); $cmdline = 'echo ' . PMA_EscapeShellArg($buffer) . ' | ' . $program . ' ' . PMA_SecureShellArgs($poptions);
$newstring = `$cmdline`; $newstring = `$cmdline`;
if ($options[2] == 1 || $options[2] == '2') { if ($options[2] == 1 || $options[2] == '2') {