From cb09a4c34871566cf460e75c9f177b9251858c12 Mon Sep 17 00:00:00 2001 From: tv Date: Fri, 18 Nov 2016 15:13:49 +0100 Subject: Reaktor sed-plugin: remove sed script injection Thanks @waldi for providing a breaking example: s/.\/\/; w /tmp/i --- krebs/5pkgs/Reaktor/scripts/sed-plugin.py | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-) (limited to 'krebs/5pkgs/Reaktor/scripts') diff --git a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py b/krebs/5pkgs/Reaktor/scripts/sed-plugin.py index 8103c9585..22b48e59d 100644 --- a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py +++ b/krebs/5pkgs/Reaktor/scripts/sed-plugin.py @@ -13,30 +13,16 @@ usr = environ['_from'] import re def is_regex(line): - myre = re.compile(r'^s/((?:\\/|[^/])+)/((?:\\/|[^/])*)/([ig]*)$') + myre = re.compile(r'^s/(?:\\/|[^/])+/(?:\\/|[^/])*/[ig]?$') return myre.match(line) line = argv[1] -m = is_regex(line) -if m: - f,t,flagstr = m.groups() - fn = f.replace('\/','/') - tn = t.replace('\/','/') - flags = 0 - count = 1 - if flagstr: - if 'i' in flagstr: - flags = re.IGNORECASE - if 'g' in flagstr: - count = 0 - else: - flagstr = '' +if is_regex(line): last = d.get(usr,None) if last: - #print(re.sub(fn,tn,last,count=count,flags=flags)) from subprocess import Popen,PIPE - p = Popen(['sed','s/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE ) + p = Popen(['sed',line],stdin=PIPE,stdout=PIPE) so,se = p.communicate(bytes("{}\n".format(last),"UTF-8")) if p.returncode: print("something went wrong when trying to process your regex: {}".format(se.decode())) -- cgit v1.2.3