[asterisk-commits] tilghman: branch 1.2 r42355 - /branches/1.2/apps/app_record.c

asterisk-commits at lists.digium.com asterisk-commits at lists.digium.com
Thu Sep 7 16:12:30 MST 2006


Author: tilghman
Date: Thu Sep  7 18:12:29 2006
New Revision: 42355

URL: http://svn.digium.com/view/asterisk?rev=42355&view=rev
Log:
Format vulnerability fix - allowing the user to specify a format is not a good idea (Bug 7811)

Modified:
    branches/1.2/apps/app_record.c

Modified: branches/1.2/apps/app_record.c
URL: http://svn.digium.com/view/asterisk/branches/1.2/apps/app_record.c?rev=42355&r1=42354&r2=42355&view=diff
==============================================================================
--- branches/1.2/apps/app_record.c (original)
+++ branches/1.2/apps/app_record.c Thu Sep  7 18:12:29 2006
@@ -41,6 +41,7 @@
 #include "asterisk/dsp.h"
 #include "asterisk/utils.h"
 #include "asterisk/options.h"
+#include "asterisk/app.h"
 
 static char *tdesc = "Trivial Record Application";
 
@@ -183,8 +184,35 @@
 	/* these are to allow the use of the %d in the config file for a wild card of sort to
 	  create a new file with the inputed name scheme */
 	if (percentflag) {
+		AST_DECLARE_APP_ARGS(fname,
+			AST_APP_ARG(piece)[100];
+		);
+		char *tmp2 = ast_strdupa(filename);
+		char countstring[15];
+		int i;
+
+		/* Separate each piece out by the format specifier */
+		/* AST_NONSTANDARD_APP_ARGS(fname, tmp2, '%'); */
+		fname.argc = ast_app_separate_args(tmp2, '%', fname.argv, (sizeof(fname) - sizeof(fname.argc)) / sizeof(fname.argv[0]));
 		do {
-			snprintf(tmp, sizeof(tmp), filename, count);
+			int tmplen;
+			/* First piece has no leading percent, so it's copied verbatim */
+			ast_copy_string(tmp, fname.piece[0], sizeof(tmp));
+			tmplen = strlen(tmp);
+			for (i = 1; i < fname.argc; i++) {
+				if (fname.piece[i][0] == 'd') {
+					/* Substitute the count */
+					snprintf(countstring, sizeof(countstring), "%d", count);
+					ast_copy_string(tmp + tmplen, countstring, sizeof(tmp) - tmplen);
+					tmplen += strlen(countstring);
+				} else if (tmplen + 2 < sizeof(tmp)) {
+					/* Unknown format specifier - just copy it verbatim */
+					tmp[tmplen++] = '%';
+					tmp[tmplen++] = fname.piece[i][0];
+				}
+				/* Copy the remaining portion of the piece */
+				ast_copy_string(tmp + tmplen, &(fname.piece[i][1]), sizeof(tmp) - tmplen);
+			}
 			count++;
 		} while ( ast_fileexists(tmp, ext, chan->language) != -1 );
 		pbx_builtin_setvar_helper(chan, "RECORDED_FILE", tmp);



More information about the asterisk-commits mailing list