Sanitize input to avoid some (but not every) arbitrary shell code execution

1 files changed, 15 insertions, 2 deletions

diff --git a/game/client.rpy b/game/client.rpy
index bfc7797..e01d0b3 100644
--- a/game/client.rpy
+++ b/game/client.rpy
@@ -29,7 +29,7 @@ init 2 python:
         HOST=persistent.serverlist[idx]["Host"]
         PORT=persistent.serverlist[idx]["Port"]
         CMD=handle_client(launch=True)
-        OPT="-s %s -y evol2 -p %s" % (HOST, PORT)
+        OPT="-s %s -y evol2 -p %s -S" % (HOST, PORT)
         stdout("%s %s" % (CMD, OPT))
 
         ########################################################################
@@ -83,12 +83,25 @@ init 2 python:
             if not renpy.mobile and persistent.iconify:
                 renpy.iconify()
 
+            ## Sanitize input to avoid arbitrary code execution
+            CMD=CMD.replace(";", "").replace("&", "").replace(">", "").replace("<", "").replace("|", "")
+            OPT=OPT.replace(";", "").replace("&", "").replace(">", "").replace("<", "").replace("|", "")
+            PWD=PWD.replace(";", "").replace("&", "").replace(">", "").replace("<", "").replace("|", "")
+
             ## Launch your prefered game client, wait for it to finish
             if renpy.windows:
                 app=execute("\"%s\" %s%s" % (CMD, OPT, PWD), shell=True)
             else:
                 app=execute("%s %s%s" % (CMD, OPT, PWD), shell=True)
-            if app:
+
+            ## Determine error messages
+            if app == 7:
+                stdout("[CLIENT] Mirror Lake trigger.")
+                ## Give "plenty" time to ensure data will be available
+                statusmsg=_("Synchronizing data...")
+                time.sleep(0.5)
+
+            elif app:
                 traceback.print_exc()
                 stdout("[CLIENT] An error happened: %d" % app)
                 #responsive = False