Really fix the privilege escalation in a better way

2025-12-19 12:28:08 +01:00 · 2012-04-30 21:20:47 +02:00
parent c4bf598566
commit ac26e3cc54
2 changed files with 10 additions and 8 deletions
--- a/wicd/misc.py
+++ b/wicd/misc.py
@@ -26,6 +26,7 @@ import os
 import locale
 import sys
 import re
+import string
 import gobject
 from threading import Thread
 from subprocess import Popen, STDOUT, PIPE, call
@@ -427,11 +428,9 @@ def noneToString(text):

 def sanitize_config(s):
    """ Sanitize property names to be used in config-files. """
-    s = s.strip()
-    s = s.replace('=', '')
-    s = s.replace(' ', '')
-    s = s.replace('\n', '')
-    return s
+    allowed = string.ascii_letters + '_' + string.digits
+    table = string.maketrans(allowed, ' ' * len(allowed))
+    return s.translate(None, table)

 def sanitize_escaped(s):
    """ Sanitize double-escaped unicode strings. """
--- a/wicd/wicd-daemon.py
+++ b/wicd/wicd-daemon.py
@@ -1064,7 +1064,8 @@ class WirelessDaemon(dbus.service.Object):
    def SetWirelessProperty(self, netid, prop, value):
        """ Sets property to value in network specified. """
        # We don't write script settings here.
-        if misc.sanitize_config(prop).endswith('script'):
+        prop = misc.sanitize_config(prop)
+        if prop.endswith('script'):
            print 'Setting script properties through the daemon' \
                  + ' is not permitted.'
            return False
@@ -1264,7 +1265,8 @@ class WirelessDaemon(dbus.service.Object):
    @dbus.service.method('org.wicd.daemon.wireless')
    def SaveWirelessNetworkProperty(self, id, option):
        """ Writes a particular wireless property to disk. """
-        if (option.strip()).endswith("script"):
+        option = misc.sanitize_config(option)
+        if option.endswith("script"):
            print 'You cannot save script information to disk through ' + \
                  'the daemon.'
            return
@@ -1406,7 +1408,8 @@ class WiredDaemon(dbus.service.Object):
    def SetWiredProperty(self, prop, value):
        """ Sets the given property to the given value. """
        if self.WiredNetwork:
-            if misc.sanitize_config(prop).endswith('script'):
+            prop = misc.sanitize_config(prop)
+            if prop.endswith('script'):
                print 'Setting script properties through the daemon' \
                      + ' is not permitted.'
                return False