From 17b99c8c7c05646c9eff400674a405a9f71a3ae1 Mon Sep 17 00:00:00 2001
From: tilghman <tilghman@f38db490-d61c-443f-a65b-d21fe96a405b>
Date: Thu, 7 Sep 2006 23:15:43 +0000
Subject: Merged revisions 42355 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.2

........
r42355 | tilghman | 2006-09-07 18:12:29 -0500 (Thu, 07 Sep 2006) | 2 lines

Format vulnerability fix - allowing the user to specify a format is not a good idea (Bug 7811)

........


git-svn-id: http://svn.digium.com/svn/asterisk/trunk@42356 f38db490-d61c-443f-a65b-d21fe96a405b
---
 apps/app_record.c | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

(limited to 'apps/app_record.c')

diff --git a/apps/app_record.c b/apps/app_record.c
index 231e2bb1e..810806e48 100644
--- a/apps/app_record.c
+++ b/apps/app_record.c
@@ -43,6 +43,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 #include "asterisk/dsp.h"
 #include "asterisk/utils.h"
 #include "asterisk/options.h"
+#include "asterisk/app.h"
 
 
 static char *app = "Record";
@@ -179,8 +180,34 @@ static int record_exec(struct ast_channel *chan, void *data)
 	/* these are to allow the use of the %d in the config file for a wild card of sort to
 	  create a new file with the inputed name scheme */
 	if (percentflag) {
+		AST_DECLARE_APP_ARGS(fname,
+			AST_APP_ARG(piece)[100];
+		);
+		char *tmp2 = ast_strdupa(filename);
+		char countstring[15];
+		int i;
+
+		/* Separate each piece out by the format specifier */
+		AST_NONSTANDARD_APP_ARGS(fname, tmp2, '%');
 		do {
-			snprintf(tmp, sizeof(tmp), filename, count);
+			int tmplen;
+			/* First piece has no leading percent, so it's copied verbatim */
+			ast_copy_string(tmp, fname.piece[0], sizeof(tmp));
+			tmplen = strlen(tmp);
+			for (i = 1; i < fname.argc; i++) {
+				if (fname.piece[i][0] == 'd') {
+					/* Substitute the count */
+					snprintf(countstring, sizeof(countstring), "%d", count);
+					ast_copy_string(tmp + tmplen, countstring, sizeof(tmp) - tmplen);
+					tmplen += strlen(countstring);
+				} else if (tmplen + 2 < sizeof(tmp)) {
+					/* Unknown format specifier - just copy it verbatim */
+					tmp[tmplen++] = '%';
+					tmp[tmplen++] = fname.piece[i][0];
+				}
+				/* Copy the remaining portion of the piece */
+				ast_copy_string(tmp + tmplen, &(fname.piece[i][1]), sizeof(tmp) - tmplen);
+			}
 			count++;
 		} while ( ast_fileexists(tmp, ext, chan->language) != -1 );
 		pbx_builtin_setvar_helper(chan, "RECORDED_FILE", tmp);
-- 
cgit v1.2.3