Reaktor sed-plugin: remove sed script injection

Thanks @waldi for providing a breaking example: s/.\/\/; w /tmp/i
2016-11-18 15:13:49 +01:00 · 2016-11-18 15:13:49 +01:00 · cb09a4c348
commit cb09a4c348
parent d430a1fa40
1 changed files with 3 additions and 17 deletions
--- a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py
+++ b/krebs/5pkgs/Reaktor/scripts/sed-plugin.py
@ -13,30 +13,16 @@ usr = environ['_from']
 import re

 def is_regex(line):
-    myre = re.compile(r'^s/((?:\\/|[^/])+)/((?:\\/|[^/])*)/([ig]*)$')
+    myre = re.compile(r'^s/(?:\\/|[^/])+/(?:\\/|[^/])*/[ig]?$')
    return myre.match(line)

 line = argv[1]
-m = is_regex(line)

-if m:
-    f,t,flagstr = m.groups()
-    fn = f.replace('\/','/')
-    tn = t.replace('\/','/')
-    flags =  0
-    count = 1
-    if flagstr:
-        if 'i' in flagstr:
-            flags = re.IGNORECASE
-        if 'g' in flagstr:
-            count = 0
-    else:
-        flagstr = ''
+if is_regex(line):
    last = d.get(usr,None)
    if last:
-        #print(re.sub(fn,tn,last,count=count,flags=flags))
        from subprocess import Popen,PIPE
-        p = Popen(['sed','s/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE )
+        p = Popen(['sed',line],stdin=PIPE,stdout=PIPE)
        so,se = p.communicate(bytes("{}\n".format(last),"UTF-8"))
        if p.returncode:
            print("something went wrong when trying to process your regex: {}".format(se.decode()))