From 7aaac1dfba22d2e70b33b2cf856d7885944d4a6e Mon Sep 17 00:00:00 2001 From: Colin Snover Date: Thu, 14 Dec 2017 13:51:04 -0600 Subject: [PATCH] POSIX: Fix CVE-2017-17528 --- backends/platform/sdl/posix/posix.cpp | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/backends/platform/sdl/posix/posix.cpp b/backends/platform/sdl/posix/posix.cpp index b805a452cf7..60f85efc2f1 100644 --- a/backends/platform/sdl/posix/posix.cpp +++ b/backends/platform/sdl/posix/posix.cpp @@ -49,6 +49,9 @@ #include #include +#include +extern char **environ; + OSystem_POSIX::OSystem_POSIX(Common::String baseConfigName) : _baseConfigName(baseConfigName) { @@ -279,7 +282,7 @@ bool OSystem_POSIX::openUrl(const Common::String &url) { // try desktop environment specific tools if (launchBrowser("gnome-open", url)) // gnome return true; - if (launchBrowser("kfmclient openURL", url)) // kde + if (launchBrowser("kfmclient", url)) // kde return true; if (launchBrowser("exo-open", url)) // xfce return true; @@ -302,15 +305,24 @@ bool OSystem_POSIX::openUrl(const Common::String &url) { return false; } -bool OSystem_POSIX::launchBrowser(const Common::String& client, const Common::String &url) { - // FIXME: system's input must be heavily escaped - // well, when url's specified by user - // it's OK now (urls are hardcoded somewhere in GUI) - Common::String cmd = client + " " + url; - return (system(cmd.c_str()) != -1); +bool OSystem_POSIX::launchBrowser(const Common::String &client, const Common::String &url) { + pid_t pid; + const char *argv[] = { + client.c_str(), + url.c_str(), + NULL, + NULL + }; + if (client == "kfmclient") { + argv[2] = argv[1]; + argv[1] = "openURL"; + } + if (posix_spawnp(&pid, client.c_str(), NULL, NULL, const_cast(argv), environ) != 0) { + return false; + } + return (waitpid(pid, NULL, 0) != -1); } - AudioCDManager *OSystem_POSIX::createAudioCDManager() { #ifdef USE_LINUXCD return createLinuxAudioCDManager();