diff options
| author | Michael Vetter <[email protected]> | 2018-11-13 10:53:49 +0100 |
|---|---|---|
| committer | Michael Vetter <[email protected]> | 2018-11-13 10:59:52 +0100 |
| commit | 8f70c3baed04e07e21a82ac39d64cbc4d2952ee9 (patch) | |
| tree | 45b3e2910abd0ff8b63f8fb8cefc98c54e306da2 /src | |
| parent | 618f220851570f2bb9ea0bb354a65e92c6d06968 (diff) | |
| download | raylib-8f70c3baed04e07e21a82ac39d64cbc4d2952ee9.tar.gz raylib-8f70c3baed04e07e21a82ac39d64cbc4d2952ee9.zip | |
Check for single apostrophe in OpenURL()
When doing a8dffc63fbe3926498ecb905428f454d0afbe526 I was not aware that
printing a warning and not executing the code would be an option. I only
learned that through 618f220851570f2bb9ea0bb354a65e92c6d06968.
So I propose that we allow all URLs except if the string contains a `'`.
Which could end the URL and call another command via `system()`.
Related to https://github.com/raysan5/raylib/issues/686
Diffstat (limited to 'src')
| -rw-r--r-- | src/core.c | 23 |
1 files changed, 4 insertions, 19 deletions
@@ -1828,24 +1828,10 @@ void OpenURL(const char *url) { // Small security check trying to avoid (partially) malicious code... // sorry for the inconvenience when you hit this point... - bool validUrl = true; - int len = strlen(url); - - for (int i = 0; i < len; i++) - { - if ((url[i] == ';') || - (url[i] == '?') || - (url[i] == ':') || - (url[i] == '=') || - (url[i] == '&')) - { - validUrl = false; - break; - } - } - - if (validUrl) + if (strchr(url, '\'') != NULL) { + TraceLog(LOG_WARNING, "Provided URL does not seem to be valid."); + } else { char *cmd = calloc(strlen(url) + 10, sizeof(char)); #if defined(_WIN32) @@ -1856,10 +1842,9 @@ void OpenURL(const char *url) sprintf(cmd, "open '%s'", url); #endif system(cmd); - + free(cmd); } - else TraceLog(LOG_WARNING, "Provided URL does not seem to be valid."); } //---------------------------------------------------------------------------------- |