diff options
| author | Ray <raysan5@gmail.com> | 2018-11-12 14:59:31 +0100 |
|---|---|---|
| committer | Ray <raysan5@gmail.com> | 2018-11-12 14:59:31 +0100 |
| commit | 618f220851570f2bb9ea0bb354a65e92c6d06968 (patch) | |
| tree | a01135ffa896ba0cc8745d87a8415e8e8445ea51 /src | |
| parent | d2f4cc1142894357ffe983863b2cce04ac91fae5 (diff) | |
| download | raylib-618f220851570f2bb9ea0bb354a65e92c6d06968.tar.gz raylib-618f220851570f2bb9ea0bb354a65e92c6d06968.zip | |
OpenURL() - Added small security check
Diffstat (limited to 'src')
| -rw-r--r-- | src/core.c | 42 |
1 files changed, 31 insertions, 11 deletions
@@ -1820,26 +1820,46 @@ int StorageLoadValue(int position) } // Open URL with default system browser (if available) -// Note: -// This function is onlyl safe to use if you control the URL given. +// NOTE: This function is onlyl safe to use if you control the URL given. // A user could craft a malicious string performing another action. -// Only call this function yourself not with user input or make sure to check the -// string yourself. -// See https://github.com/raysan5/raylib/issues/686 +// Only call this function yourself not with user input or make sure to check the string yourself. +// CHECK: https://github.com/raysan5/raylib/issues/686 void OpenURL(const char *url) { - char *cmd = calloc(strlen(url) + 10, sizeof(char)); + // Small security check trying to avoid (partially) malicious code... + // sorry for the inconvenience when you hit this point... + bool validUrl = true; + int len = strlen(url); + + for (int i = 0; i < len; i++) + { + if ((url[i] == ';') || + (url[i] == '?') || + (url[i] == ':') || + (url[i] == '=') || + (url[i] == '&')) + { + validUrl = false; + break; + } + } + + if (validUrl) + { + char *cmd = calloc(strlen(url) + 10, sizeof(char)); #if defined(_WIN32) - sprintf(cmd, "explorer '%s'", url); + sprintf(cmd, "explorer '%s'", url); #elif defined(__linux__) - sprintf(cmd, "xdg-open '%s'", url); // Alternatives: firefox, x-www-browser + sprintf(cmd, "xdg-open '%s'", url); // Alternatives: firefox, x-www-browser #elif defined(__APPLE__) - sprintf(cmd, "open '%s'", url); + sprintf(cmd, "open '%s'", url); #endif - system(cmd); + system(cmd); - free(cmd); + free(cmd); + } + else TraceLog(LOG_WARNING, "Provided URL does not seem to be valid."); } //---------------------------------------------------------------------------------- |