gryf/wmaker
1
0
Fork 0
mirror of https://github.com/gryf/wmaker.git synced 2025-12-22 22:28:02 +01:00
Code Issues Projects Releases Wiki Activity

wmaker: fix arbitrary shell command injection

Browse Source 
Workspace background pref can be tricked to run arbitrary cmds.

Signed-off-by: Carlos R. Mafra <crmafra@gmail.com>
This commit is contained in:
David Maciejak
2014-09-30 15:51:31 +08:00
committed by Carlos R. Mafra
parent a307b9f867
commit 65f8cb7a4b
1 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/defaults.c
View File

@@ -3097,13 +3097,17 @@ static int setWorkspaceBack(WScreen * scr, WDefaultEntry * entry, void *tdata, v
len = strlen(text) + 40;
command = wmalloc(len);
dither = wPreferences.no_dithering ? "-m" : "-d";
if (wPreferences.smooth_workspace_back)
snprintf(command, len, "wmsetbg %s -S -p '%s' &", dither, text);
else
snprintf(command, len, "wmsetbg %s -p '%s' &", dither, text);
if (!strchr(text, '\'') && !strchr(text, '\\')) {
command = wmalloc(len);
if (wPreferences.smooth_workspace_back)
snprintf(command, len, "wmsetbg %s -S -p '%s' &", dither, text);
else
snprintf(command, len, "wmsetbg %s -p '%s' &", dither, text);
ExecuteShellCommand(scr, command);
wfree(command);
} else
wwarning(_("Invalid arguments for background \"%s\""), text);
wfree(text);
ExecuteShellCommand(scr, command);
wfree(command);
}
WMReleasePropList(value);