https://github.com/akrennmair/newsbeuter/commit/26f5a4350f3ab5507bb8727051c87bb04660f333.patch http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14500 From 26f5a4350f3ab5507bb8727051c87bb04660f333 Mon Sep 17 00:00:00 2001 From: Alexander Batischev Date: Sat, 16 Sep 2017 19:31:43 +0300 Subject: [PATCH] Work around shell code in podcast names (#598) --- src/pb_controller.cpp | 6 +++--- src/queueloader.cpp | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/pb_controller.cpp b/src/pb_controller.cpp index 09b5e897..213216cd 100644 --- a/src/pb_controller.cpp +++ b/src/pb_controller.cpp @@ -306,9 +306,9 @@ void pb_controller::play_file(const std::string& file) { if (player == "") return; cmdline.append(player); - cmdline.append(" \""); - cmdline.append(utils::replace_all(file,"\"", "\\\"")); - cmdline.append("\""); + cmdline.append(" \'"); + cmdline.append(utils::replace_all(file,"'", "%27")); + cmdline.append("\'"); stfl::reset(); LOG(LOG_DEBUG, "pb_controller::play_file: running `%s'", cmdline.c_str()); ::system(cmdline.c_str()); diff --git a/src/queueloader.cpp b/src/queueloader.cpp index c1dabdd8..ae725e04 100644 --- a/src/queueloader.cpp +++ b/src/queueloader.cpp @@ -130,7 +130,7 @@ std::string queueloader::get_filename(const std::string& str) { strftime(lbuf, sizeof(lbuf), "%Y-%b-%d-%H%M%S.unknown", localtime(&t)); fn.append(lbuf); } else { - fn.append(base); + fn.append(utils::replace_all(base, "'", "%27")); } return fn; }