[zypp-commit] r7383 - in /trunk/updater-kde/updater/zypp: ZYppUpdater.cpp zypper_install
Author: tgoettlicher Date: Tue Sep 25 19:07:42 2007 New Revision: 7383 URL: http://svn.opensuse.org/viewcvs/zypp?rev=7383&view=rev Log: prevent command injection Modified: trunk/updater-kde/updater/zypp/ZYppUpdater.cpp trunk/updater-kde/updater/zypp/zypper_install Modified: trunk/updater-kde/updater/zypp/ZYppUpdater.cpp URL: http://svn.opensuse.org/viewcvs/zypp/trunk/updater-kde/updater/zypp/ZYppUpdater.cpp?rev=7383&r1=7382&r2=7383&view=diff ============================================================================== --- trunk/updater-kde/updater/zypp/ZYppUpdater.cpp (original) +++ trunk/updater-kde/updater/zypp/ZYppUpdater.cpp Tue Sep 25 19:07:42 2007 @@ -446,6 +446,12 @@ if ( installPatchList.isEmpty() && installPackageList.isEmpty() ) return; + // prevent command injection + for (int i=0; i < installPatchList.count(); ++i) + installPatchList[i].replace(QChar('"'), ""); + for (int i=0; i < installPackageList.count(); ++i) + installPackageList[i].replace(QChar('"'), ""); + resetXmlStream(); _error=false; Modified: trunk/updater-kde/updater/zypp/zypper_install URL: http://svn.opensuse.org/viewcvs/zypp/trunk/updater-kde/updater/zypp/zypper_install?rev=7383&r1=7382&r2=7383&view=diff ============================================================================== --- trunk/updater-kde/updater/zypp/zypper_install (original) +++ trunk/updater-kde/updater/zypp/zypper_install Tue Sep 25 19:07:42 2007 @@ -18,11 +18,11 @@ *) if [ $type == "patch" ]; then - patchlist="$patchlist $1 " + patchlist="$patchlist \"$1\"" fi if [ $type == "package" ]; then - packagelist="$packagelist $1 " + packagelist="$packagelist \"$1\"" fi ;; -- To unsubscribe, e-mail: zypp-commit+unsubscribe@opensuse.org For additional commands, e-mail: zypp-commit+help@opensuse.org
participants (1)
-
tgoettlicher@svn.opensuse.org