diff options
author | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2006-09-07 23:12:29 +0000 |
---|---|---|
committer | tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b> | 2006-09-07 23:12:29 +0000 |
commit | f38c6d31d7a68f60ee41c9fcd4ac44a2d17ee73b (patch) | |
tree | d690697199b49fe4e169a795da9b13a12e382b37 /apps | |
parent | bb9b6b930593cfe2228af9a15ba758bb56de5669 (diff) |
Format vulnerability fix - allowing the user to specify a format is not a good idea (Bug 7811)
git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.2@42355 f38db490-d61c-443f-a65b-d21fe96a405b
Diffstat (limited to 'apps')
-rw-r--r-- | apps/app_record.c | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/apps/app_record.c b/apps/app_record.c index 85310ea70..3101e22f4 100644 --- a/apps/app_record.c +++ b/apps/app_record.c @@ -41,6 +41,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") #include "asterisk/dsp.h" #include "asterisk/utils.h" #include "asterisk/options.h" +#include "asterisk/app.h" static char *tdesc = "Trivial Record Application"; @@ -183,8 +184,35 @@ static int record_exec(struct ast_channel *chan, void *data) /* these are to allow the use of the %d in the config file for a wild card of sort to create a new file with the inputed name scheme */ if (percentflag) { + AST_DECLARE_APP_ARGS(fname, + AST_APP_ARG(piece)[100]; + ); + char *tmp2 = ast_strdupa(filename); + char countstring[15]; + int i; + + /* Separate each piece out by the format specifier */ + /* AST_NONSTANDARD_APP_ARGS(fname, tmp2, '%'); */ + fname.argc = ast_app_separate_args(tmp2, '%', fname.argv, (sizeof(fname) - sizeof(fname.argc)) / sizeof(fname.argv[0])); do { - snprintf(tmp, sizeof(tmp), filename, count); + int tmplen; + /* First piece has no leading percent, so it's copied verbatim */ + ast_copy_string(tmp, fname.piece[0], sizeof(tmp)); + tmplen = strlen(tmp); + for (i = 1; i < fname.argc; i++) { + if (fname.piece[i][0] == 'd') { + /* Substitute the count */ + snprintf(countstring, sizeof(countstring), "%d", count); + ast_copy_string(tmp + tmplen, countstring, sizeof(tmp) - tmplen); + tmplen += strlen(countstring); + } else if (tmplen + 2 < sizeof(tmp)) { + /* Unknown format specifier - just copy it verbatim */ + tmp[tmplen++] = '%'; + tmp[tmplen++] = fname.piece[i][0]; + } + /* Copy the remaining portion of the piece */ + ast_copy_string(tmp + tmplen, &(fname.piece[i][1]), sizeof(tmp) - tmplen); + } count++; } while ( ast_fileexists(tmp, ext, chan->language) != -1 ); pbx_builtin_setvar_helper(chan, "RECORDED_FILE", tmp); |