Add minimal sanitizing rules to subprocess.

While it is still vulnerable in overall, this should reduce attack surface.

2 files changed, 9 insertions, 2 deletions

diff --git a/game/client.rpy b/game/client.rpy
index cd23d52..3062b98 100644
--- a/game/client.rpy
+++ b/game/client.rpy
@@ -90,9 +90,9 @@ init 2 python:
 
             ## Launch your preferred game client, wait for it to finish
             if renpy.windows:
-                app=execute("\"%s\" %s%s" % (CMD, OPT, PWD), shell=True)
+                app=execute(san("\"%s\" %s%s" % (CMD, OPT, PWD)), shell=True)
             else:
-                app=execute("%s %s%s" % (CMD, OPT, PWD), shell=True)
+                app=execute(san("%s %s%s" % (CMD, OPT, PWD)), shell=True)
 
             ## Determine error messages
             if app == 7:
diff --git a/game/core.rpy b/game/core.rpy
index 723c283..14f22c9 100644
--- a/game/core.rpy
+++ b/game/core.rpy
@@ -46,6 +46,13 @@ init -3 python:
         del ct
         return rt
 
+    # Sanitize a command (strip some flow control chars)
+    # While it covers all control operators and most metacharacters,
+    # it doesn't covers well the reserved words.
+    # ...Of course, it relies on this client not being compromised.
+    def san(cmd):
+        return cmd.replace(";", "").replace("|", "").replace(">", "").replace("<", "").replace("&", "").replace("(", "").replace(")", "").replace("\n", "").replace("[[", "").replace("]]", "")
+
     # Smart Print command
     def stdout(message, bd=False):
         if config.developer: