From f2a1dcee69af446cd34815e80daed06a29c2ee27 Mon Sep 17 00:00:00 2001 From: Jesusaves Date: Sun, 6 Jun 2021 14:08:52 -0300 Subject: Sanitize input to avoid some (but not every) arbitrary shell code execution --- game/client.rpy | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/game/client.rpy b/game/client.rpy index bfc7797..e01d0b3 100644 --- a/game/client.rpy +++ b/game/client.rpy @@ -29,7 +29,7 @@ init 2 python: HOST=persistent.serverlist[idx]["Host"] PORT=persistent.serverlist[idx]["Port"] CMD=handle_client(launch=True) - OPT="-s %s -y evol2 -p %s" % (HOST, PORT) + OPT="-s %s -y evol2 -p %s -S" % (HOST, PORT) stdout("%s %s" % (CMD, OPT)) ######################################################################## @@ -83,12 +83,25 @@ init 2 python: if not renpy.mobile and persistent.iconify: renpy.iconify() + ## Sanitize input to avoid arbitrary code execution + CMD=CMD.replace(";", "").replace("&", "").replace(">", "").replace("<", "").replace("|", "") + OPT=OPT.replace(";", "").replace("&", "").replace(">", "").replace("<", "").replace("|", "") + PWD=PWD.replace(";", "").replace("&", "").replace(">", "").replace("<", "").replace("|", "") + ## Launch your prefered game client, wait for it to finish if renpy.windows: app=execute("\"%s\" %s%s" % (CMD, OPT, PWD), shell=True) else: app=execute("%s %s%s" % (CMD, OPT, PWD), shell=True) - if app: + + ## Determine error messages + if app == 7: + stdout("[CLIENT] Mirror Lake trigger.") + ## Give "plenty" time to ensure data will be available + statusmsg=_("Synchronizing data...") + time.sleep(0.5) + + elif app: traceback.print_exc() stdout("[CLIENT] An error happened: %d" % app) #responsive = False -- cgit v1.2.3-70-g09d2