Merged revisions 42355 via svnmerge from
authorTilghman Lesher <tilghman@meg.abyt.es>
Thu, 7 Sep 2006 23:15:43 +0000 (23:15 +0000)
committerTilghman Lesher <tilghman@meg.abyt.es>
Thu, 7 Sep 2006 23:15:43 +0000 (23:15 +0000)
https://origsvn.digium.com/svn/asterisk/branches/1.2

........
r42355 | tilghman | 2006-09-07 18:12:29 -0500 (Thu, 07 Sep 2006) | 2 lines

Format vulnerability fix - allowing the user to specify a format is not a good idea (Bug 7811)

........

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@42356 65c4cc65-6c06-0410-ace0-fbb531ad65f3

apps/app_record.c

index 231e2bb..810806e 100644 (file)
@@ -43,6 +43,7 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
 #include "asterisk/dsp.h"
 #include "asterisk/utils.h"
 #include "asterisk/options.h"
 #include "asterisk/dsp.h"
 #include "asterisk/utils.h"
 #include "asterisk/options.h"
+#include "asterisk/app.h"
 
 
 static char *app = "Record";
 
 
 static char *app = "Record";
@@ -179,8 +180,34 @@ static int record_exec(struct ast_channel *chan, void *data)
        /* these are to allow the use of the %d in the config file for a wild card of sort to
          create a new file with the inputed name scheme */
        if (percentflag) {
        /* these are to allow the use of the %d in the config file for a wild card of sort to
          create a new file with the inputed name scheme */
        if (percentflag) {
+               AST_DECLARE_APP_ARGS(fname,
+                       AST_APP_ARG(piece)[100];
+               );
+               char *tmp2 = ast_strdupa(filename);
+               char countstring[15];
+               int i;
+
+               /* Separate each piece out by the format specifier */
+               AST_NONSTANDARD_APP_ARGS(fname, tmp2, '%');
                do {
                do {
-                       snprintf(tmp, sizeof(tmp), filename, count);
+                       int tmplen;
+                       /* First piece has no leading percent, so it's copied verbatim */
+                       ast_copy_string(tmp, fname.piece[0], sizeof(tmp));
+                       tmplen = strlen(tmp);
+                       for (i = 1; i < fname.argc; i++) {
+                               if (fname.piece[i][0] == 'd') {
+                                       /* Substitute the count */
+                                       snprintf(countstring, sizeof(countstring), "%d", count);
+                                       ast_copy_string(tmp + tmplen, countstring, sizeof(tmp) - tmplen);
+                                       tmplen += strlen(countstring);
+                               } else if (tmplen + 2 < sizeof(tmp)) {
+                                       /* Unknown format specifier - just copy it verbatim */
+                                       tmp[tmplen++] = '%';
+                                       tmp[tmplen++] = fname.piece[i][0];
+                               }
+                               /* Copy the remaining portion of the piece */
+                               ast_copy_string(tmp + tmplen, &(fname.piece[i][1]), sizeof(tmp) - tmplen);
+                       }
                        count++;
                } while ( ast_fileexists(tmp, ext, chan->language) != -1 );
                pbx_builtin_setvar_helper(chan, "RECORDED_FILE", tmp);
                        count++;
                } while ( ast_fileexists(tmp, ext, chan->language) != -1 );
                pbx_builtin_setvar_helper(chan, "RECORDED_FILE", tmp);