From 16aed74911eb352c322cd2ed38508881b144ac28 Mon Sep 17 00:00:00 2001 From: pk910 Date: Tue, 18 Oct 2011 01:32:36 +0200 Subject: [PATCH] only escape user parameters on cmd_extscript --- src/cmd_neonserv_extscript.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/src/cmd_neonserv_extscript.c b/src/cmd_neonserv_extscript.c index 53b173d..35f81bc 100644 --- a/src/cmd_neonserv_extscript.c +++ b/src/cmd_neonserv_extscript.c @@ -32,6 +32,7 @@ CMD_BIND(neonserv_cmd_extscript) { int commandpos = 0; char part[MAXLEN]; int partpos; + int escape_param; int answere_channel = 0; //check first arg if(argc && !stricmp(argv[0], "toys")) { @@ -66,6 +67,7 @@ CMD_BIND(neonserv_cmd_extscript) { commandpos = sprintf(command, "%s", argv[0]); for(i = 1; i < argc-1; i++) { partpos = 0; + escape_param = 1; if(argv[i][0] == '$') { argv[i]++; if(argv[i][strlen(argv[i])-1] == '-') { @@ -88,20 +90,24 @@ CMD_BIND(neonserv_cmd_extscript) { } } else { partpos = sprintf(part, "%s", argv[i]); + escape_param = 0; } //escape shell argument command[commandpos++] = ' '; - command[commandpos++] = '\''; - for(j = 0; j < partpos; j++) { - if(part[j] == '\'') { - command[commandpos++] = '\''; - command[commandpos++] = '\\'; - command[commandpos++] = '\''; - command[commandpos++] = '\''; - } else - command[commandpos++] = part[j]; - } - command[commandpos++] = '\''; + if(escape_param) { + command[commandpos++] = '\''; + for(j = 0; j < partpos; j++) { + if(part[j] == '\'') { + command[commandpos++] = '\''; + command[commandpos++] = '\\'; + command[commandpos++] = '\''; + command[commandpos++] = '\''; + } else + command[commandpos++] = part[j]; + } + command[commandpos++] = '\''; + } else + commandpos += sprintf(command + commandpos, " %s", part); } command[commandpos] = '\0'; //we should now have a valid command -- 2.20.1