[EU-FOSSA] Enhance external call code to avoid eventual arbitrary commands execution

6 years ago · 3f5f69c6a6
parent a2e9421669
commit 3f5f69c6a6
4 changed files with 14 additions and 5 deletions
--- a/PowerEditor/src/NppCommands.cpp
+++ b/PowerEditor/src/NppCommands.cpp
@ -91,8 +91,8 @@ void Notepad_plus::command(int id)
 		case IDM_FILE_OPEN_CMD:
 		{
-			Command cmd(TEXT("cmd /K cd /d \"$(CURRENT_DIRECTORY)\""));
+			Command cmd(TEXT("cmd"));
-			cmd.run(_pPublicInterface->getHSelf());
+			cmd.run(_pPublicInterface->getHSelf(), TEXT("$(CURRENT_DIRECTORY)"));
 		}
 		break;
--- a/PowerEditor/src/WinControls/FileBrowser/fileBrowser.cpp
+++ b/PowerEditor/src/WinControls/FileBrowser/fileBrowser.cpp
@ -688,9 +688,9 @@ void FileBrowser::popupMenuCmd(int cmdID)
 			if (::PathFileExists(path.c_str()))
 			{
 				TCHAR cmdStr[1024];
-				wsprintf(cmdStr, TEXT("cmd /K cd /d \"%s\""), path.c_str());
+				wsprintf(cmdStr, TEXT("cmd"));
 				Command cmd(cmdStr);
-				cmd.run(nullptr);
+				cmd.run(nullptr, path.c_str());
 			}
 		}
 		break;
--- a/PowerEditor/src/WinControls/StaticDialog/RunDlg/RunDlg.cpp
+++ b/PowerEditor/src/WinControls/StaticDialog/RunDlg/RunDlg.cpp
@ -167,6 +167,11 @@ void expandNppEnvironmentStrs(const TCHAR *strSrc, TCHAR *stringDest, size_t str
 }
 HINSTANCE Command::run(HWND hWnd)
 {
 	return run(hWnd, TEXT("."));
 }
 HINSTANCE Command::run(HWND hWnd, const TCHAR* cwd)
 {
 	const int argsIntermediateLen = MAX_PATH*2;
 	const int args2ExecLen = CURRENTWORD_MAXLENGTH+MAX_PATH*2;
@ -194,7 +199,10 @@ HINSTANCE Command::run(HWND hWnd)
 	expandNppEnvironmentStrs(cmdIntermediate, cmd2Exec, MAX_PATH, hWnd);
 	expandNppEnvironmentStrs(argsIntermediate, args2Exec, args2ExecLen, hWnd);
-	HINSTANCE res = ::ShellExecute(hWnd, TEXT("open"), cmd2Exec, args2Exec, TEXT("."), SW_SHOW);
+	TCHAR cwd2Exec[MAX_PATH];
 	expandNppEnvironmentStrs(cwd, cwd2Exec, MAX_PATH, hWnd);
 	HINSTANCE res = ::ShellExecute(hWnd, TEXT("open"), cmd2Exec, args2Exec, cwd2Exec, SW_SHOW);
 	// As per MSDN (https://msdn.microsoft.com/en-us/library/windows/desktop/bb762153(v=vs.85).aspx)
 	// If the function succeeds, it returns a value greater than 32.
--- a/PowerEditor/src/WinControls/StaticDialog/RunDlg/RunDlg.h
+++ b/PowerEditor/src/WinControls/StaticDialog/RunDlg/RunDlg.h
@ -43,6 +43,7 @@ public :
 	explicit Command(TCHAR *cmd) : _cmdLine(cmd){};
 	explicit Command(generic_string cmd) : _cmdLine(cmd){};
 	HINSTANCE run(HWND hWnd);
 	HINSTANCE run(HWND hWnd, const TCHAR* cwd);
 protected :
 	generic_string _cmdLine;