github
/
openvpn-gui
mirror of https://github.com/OpenVPN/openvpn-gui
1
0
Fork 0
Code Issues Releases Wiki Activity

Ensure group name in shell-execute cmdline is clean 

- Also fix typo in a comment.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
pull/26/head
Selva Nair 2016-03-27 23:56:24 -04:00
parent c8ddab1f90
commit 6d9ab8122c
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
access.c
View File

@ -87,7 +87,7 @@ CheckGroupMember(DWORD count, WCHAR *grp[])
break; break;
} }
#ifdef DEBUG #ifdef DEBUG
PrintDebug(L"User is %s in an authorized gtoup", ret? L"" : L"not"); PrintDebug(L"User is%s in an authorized group", ret? L"" : L" not");
#endif #endif
out: out:
@ -161,6 +161,7 @@ GetBuiltinAdminGroupName (WCHAR *name, DWORD nlen)
} }
/* /*
* Add current user to the specified group. Uses RunAsAdmin to elevate. * Add current user to the specified group. Uses RunAsAdmin to elevate.
* Reject if the group name contains certain illegal characters.
*/ */
static BOOL static BOOL
AddUserToGroup (const WCHAR *group) AddUserToGroup (const WCHAR *group)
@ -176,6 +177,20 @@ AddUserToGroup (const WCHAR *group)
DWORD size; DWORD size;
DWORD status; DWORD status;
BOOL retval = FALSE; BOOL retval = FALSE;
WCHAR reject[] = L"\"\?\\/[]:;|=,+*<>\'&";
/*
* The only unknown content in the command line is the variable group. Ensure it
* does not contain any '"' character. Here we reject all characters not allowed
* in group names and special characters such as '&' as well.
*/
if (wcspbrk(group, reject) != NULL)
{
#ifdef DEBUG
PrintDebug (L"AddUSerToGroup: illegal characters in group name: '%s'.", group);
#endif
return retval;
}
size = _countof(username); size = _countof(username);
if (!GetUserNameExW (NameSamCompatible, username, &size)) if (!GetUserNameExW (NameSamCompatible, username, &size))