diff options
| -rw-r--r-- | game/client.rpy | 4 | ||||
| -rw-r--r-- | game/core.rpy | 7 |
2 files changed, 9 insertions, 2 deletions
diff --git a/game/client.rpy b/game/client.rpy index cd23d52..3062b98 100644 --- a/game/client.rpy +++ b/game/client.rpy @@ -90,9 +90,9 @@ init 2 python: ## Launch your preferred game client, wait for it to finish if renpy.windows: - app=execute("\"%s\" %s%s" % (CMD, OPT, PWD), shell=True) + app=execute(san("\"%s\" %s%s" % (CMD, OPT, PWD)), shell=True) else: - app=execute("%s %s%s" % (CMD, OPT, PWD), shell=True) + app=execute(san("%s %s%s" % (CMD, OPT, PWD)), shell=True) ## Determine error messages if app == 7: diff --git a/game/core.rpy b/game/core.rpy index 723c283..14f22c9 100644 --- a/game/core.rpy +++ b/game/core.rpy @@ -46,6 +46,13 @@ init -3 python: del ct return rt + # Sanitize a command (strip some flow control chars) + # While it covers all control operators and most metacharacters, + # it doesn't covers well the reserved words. + # ...Of course, it relies on this client not being compromised. + def san(cmd): + return cmd.replace(";", "").replace("|", "").replace(">", "").replace("<", "").replace("&", "").replace("(", "").replace(")", "").replace("\n", "").replace("[[", "").replace("]]", "") + # Smart Print command def stdout(message, bd=False): if config.developer: |