Reaktor sed-plugin: remove sed script injection
Thanks @waldi for providing a breaking example: s/.\/\/; w /tmp/i
This commit is contained in:
parent
d430a1fa40
commit
cb09a4c348
|
@ -13,30 +13,16 @@ usr = environ['_from']
|
||||||
import re
|
import re
|
||||||
|
|
||||||
def is_regex(line):
|
def is_regex(line):
|
||||||
myre = re.compile(r'^s/((?:\\/|[^/])+)/((?:\\/|[^/])*)/([ig]*)$')
|
myre = re.compile(r'^s/(?:\\/|[^/])+/(?:\\/|[^/])*/[ig]?$')
|
||||||
return myre.match(line)
|
return myre.match(line)
|
||||||
|
|
||||||
line = argv[1]
|
line = argv[1]
|
||||||
m = is_regex(line)
|
|
||||||
|
|
||||||
if m:
|
if is_regex(line):
|
||||||
f,t,flagstr = m.groups()
|
|
||||||
fn = f.replace('\/','/')
|
|
||||||
tn = t.replace('\/','/')
|
|
||||||
flags = 0
|
|
||||||
count = 1
|
|
||||||
if flagstr:
|
|
||||||
if 'i' in flagstr:
|
|
||||||
flags = re.IGNORECASE
|
|
||||||
if 'g' in flagstr:
|
|
||||||
count = 0
|
|
||||||
else:
|
|
||||||
flagstr = ''
|
|
||||||
last = d.get(usr,None)
|
last = d.get(usr,None)
|
||||||
if last:
|
if last:
|
||||||
#print(re.sub(fn,tn,last,count=count,flags=flags))
|
|
||||||
from subprocess import Popen,PIPE
|
from subprocess import Popen,PIPE
|
||||||
p = Popen(['sed','s/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE )
|
p = Popen(['sed',line],stdin=PIPE,stdout=PIPE)
|
||||||
so,se = p.communicate(bytes("{}\n".format(last),"UTF-8"))
|
so,se = p.communicate(bytes("{}\n".format(last),"UTF-8"))
|
||||||
if p.returncode:
|
if p.returncode:
|
||||||
print("something went wrong when trying to process your regex: {}".format(se.decode()))
|
print("something went wrong when trying to process your regex: {}".format(se.decode()))
|
||||||
|
|
Loading…
Reference in New Issue
Block a user