kyonshi/tbamud
1
0
Fork 0
mirror of https://github.com/tbamud/tbamud.git synced 2026-04-30 04:41:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: kyonshi:96dfc6fb090095bc1c618b074cb46d8df6216a7f
Branches Tags
kyonshi:master kyonshi:copilot/fix-stack-buffer-overflow kyonshi:copilot/fix-stray-null-write-bug kyonshi:copilot/fix-os-command-injection kyonshi:copilot/fix-stack-buffer-overflow-var-subst kyonshi:copilot/fix-unbounded-strcpy-password kyonshi:copilot/fix-fscanf-width-limits kyonshi:copilot/check-code-for-vulnerabilities kyonshi:feature/unittesting kyonshi:kaizen/reformatting-and-linting
kyonshi:v2025.0.0 kyonshi:v2023.0.0 kyonshi:v2021.0.0 kyonshi:v2020.0.0 kyonshi:v2019.0.0 kyonshi:v2018.0.0 kyonshi:v3.68
..
compare: kyonshi:copilot/fix-os-command-injection
Branches Tags
kyonshi:master kyonshi:copilot/fix-stack-buffer-overflow kyonshi:copilot/fix-stray-null-write-bug kyonshi:copilot/fix-os-command-injection kyonshi:copilot/fix-stack-buffer-overflow-var-subst kyonshi:copilot/fix-unbounded-strcpy-password kyonshi:copilot/fix-fscanf-width-limits kyonshi:copilot/check-code-for-vulnerabilities kyonshi:feature/unittesting kyonshi:kaizen/reformatting-and-linting
kyonshi:v2025.0.0 kyonshi:v2023.0.0 kyonshi:v2021.0.0 kyonshi:v2020.0.0 kyonshi:v2019.0.0 kyonshi:v2018.0.0 kyonshi:v3.68

2 Commits
96dfc6fb09 ... copilot/fi

Author SHA1 Message Date
copilot-swe-agent[bot]
80b77808f3 Fix OS command injection in fix_filename() - use allowlist for safe chars 
Agent-Logs-Url: https://github.com/tbamud/tbamud/sessions/a9e10199-b353-440a-ba26-279f0d0e42bf

Co-authored-by: welcor <357770+welcor@users.noreply.github.com>
 2026-04-24 10:22:33 +00:00
copilot-swe-agent[bot]
c5bed0e141 Initial plan 2026-04-24 10:16:38 +00:00
2 changed files with 22 additions and 45 deletions
Expand all files Collapse all files

29
src/genolc.c
View File

@@ -277,7 +277,10 @@ int sprintascii(char *out, bitvector_t bits)
return j;
}
/* converts illegal filename chars into appropriate equivalents */
/* converts illegal filename chars into appropriate equivalents.
* Uses an allowlist: alphanumerics, underscore, hyphen, and dot are kept;
* spaces are converted to underscores; all other characters (including shell
* metacharacters such as ; | & ` $ > < \n) are silently dropped. */
static void fix_filename(const char *str, char *outbuf, size_t maxlen)
{
const char *in = str;
@@ -285,21 +288,17 @@ static void fix_filename(const char *str, char *outbuf, size_t maxlen)
int count = 0;
while (*in) {
switch(*in) {
case ' ': *out = '_'; out++; break;
case '(': *out = '{'; out++; break;
case ')': *out = '}'; out++; break;
/* skip the following */
case '\'': break;
case '"': break;
/* Legal character */
default: *out = *in; out++;break;
}
if (isalnum((unsigned char)*in) || *in == '_' || *in == '-' || *in == '.') {
/* Safe characters kept as-is */
*out++ = *in;
if (++count == maxlen - 1) break;
} else if (*in == ' ') {
/* Spaces become underscores */
*out++ = '_';
if (++count == maxlen - 1) break;
}
/* All other characters, including shell metacharacters, are dropped */
in++;
count++;
if (count == maxlen - 1) break;
}
*out = '\0';
}

38
src/interpreter.c
View File

@@ -41,7 +41,7 @@
/* local (file scope) functions */
static int perform_dupe_check(struct descriptor_data *d);
static struct alias_data *find_alias(struct alias_data *alias_list, char *str);
static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a, struct char_data *ch);
static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a);
static int _parse_name(char *arg, char *name);
static bool perform_new_char_dupe_check(struct descriptor_data *d);
/* sort_commands utility */
@@ -668,10 +668,9 @@ ACMD(do_alias)
* commands. */
#define NUM_TOKENS 9
static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a, struct char_data *ch)
static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alias_data *a)
{
struct txt_q temp_queue;
struct txt_block *qtmp;
char *tokens[NUM_TOKENS], *temp, *write_point;
char buf2[MAX_RAW_INPUT_LENGTH], buf[MAX_RAW_INPUT_LENGTH]; /* raw? */
int num_of_tokens = 0, num;
@@ -698,27 +697,16 @@ static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alia
} else if (*temp == ALIAS_VAR_CHAR) {
temp++;
if ((num = *temp - '1') < num_of_tokens && num >= 0) {
if ((write_point - buf) + strlen(tokens[num]) >= MAX_RAW_INPUT_LENGTH)
goto overflow;
strcpy(write_point, tokens[num]);
strcpy(write_point, tokens[num]); /* strcpy: OK */
write_point += strlen(tokens[num]);
} else if (*temp == ALIAS_GLOB_CHAR) {
skip_spaces(&orig);
if ((write_point - buf) + strlen(orig) >= MAX_RAW_INPUT_LENGTH)
goto overflow;
strcpy(write_point, orig);
strcpy(write_point, orig); /* strcpy: OK */
write_point += strlen(orig);
} else {
if (write_point - buf + 2 >= MAX_RAW_INPUT_LENGTH)
goto overflow;
if ((*(write_point++) = *temp) == '$') /* redouble $ for act safety */
*(write_point++) = '$';
}
} else {
if (write_point - buf + 1 >= MAX_RAW_INPUT_LENGTH)
goto overflow;
} else if ((*(write_point++) = *temp) == '$') /* redouble $ for act safety */
*(write_point++) = '$';
} else
*(write_point++) = *temp;
}
}
*write_point = '\0';
@@ -732,16 +720,6 @@ static void perform_complex_alias(struct txt_q *input_q, char *orig, struct alia
temp_queue.tail->next = input_q->head;
input_q->head = temp_queue.head;
}
return;
overflow:
send_to_char(ch, "Alias expansion too long.\r\n");
while (temp_queue.head) {
qtmp = temp_queue.head;
temp_queue.head = qtmp->next;
free(qtmp->text);
free(qtmp);
}
}
/* Given a character and a string, perform alias replacement on it.
@@ -777,7 +755,7 @@ int perform_alias(struct descriptor_data *d, char *orig, size_t maxlen)
strlcpy(orig, a->replacement, maxlen);
return (0);
} else {
perform_complex_alias(&d->input, ptr, a, d->character);
perform_complex_alias(&d->input, ptr, a);
return (1);
}
}