From e48958d9ffe8821d155d79926436d53b1553b767 Mon Sep 17 00:00:00 2001 From: DogeyStamp Date: Wed, 4 Aug 2021 16:46:48 -0400 Subject: [PATCH] Change filename sanitization --- README | 18 +++++++++++------- util.c | 16 ++++++++++------ 2 files changed, 21 insertions(+), 13 deletions(-) diff --git a/README b/README index 3f29f3d..54379c4 100644 --- a/README +++ b/README @@ -1,6 +1,6 @@ MinRSS ====== -MinRSS (minimal RSS) is an RSS feed reader inspired by suckless.org's +MinRSS (minimal RSS) is an RSS feed reader for Linux inspired by suckless.org's IRC clients ii and sic. Instead of presenting RSS articles as entries in a menu, it saves them as files in folders. @@ -12,12 +12,6 @@ rss |--post `--other_post -Compatibility -------------- -This program is designed to work on Linux, but it should be possible -to make it run on other operating systems. If you can do that -successfully, please contact me about it. - Requirements ------------ You need libcurl and libxml2 to compile MinRSS. @@ -39,3 +33,13 @@ Using MinRSS Make a directory to store your RSS feeds, then cd into it. Then, enter the minrss command to download the RSS feeds. Your feeds will be available as folders in your current working directory. + +Compatibility +------------- +This program is designed to work on Linux, but it should be possible +to make it run on other operating systems. If you can do that +successfully, please contact me about it. + +Note that if you use MinRSS on different systems, it will be possible for +attackers to write malicious filenames, so you should rewrite sanitize() +accordingly. diff --git a/util.c b/util.c index c5cf462..b99c625 100644 --- a/util.c +++ b/util.c @@ -54,17 +54,21 @@ san(char *str, int rep) unsigned long long int len = strlen(str); unsigned long long int offset = 0; + len = len > 255 ? 255 : len; + char *dup = ecalloc(len + 1, sizeof(char)); strcpy(dup, str); for (unsigned long long int i = 0; i < len; i++) { - if ((dup[i] >= 'a' && dup[i] <= 'z') || - (dup[i] >= 'A' && dup[i] <= 'Z') || - (dup[i] >= '0' && dup[i] <= '9') || - dup[i] == '-' || dup[i] == '_') + char c = dup[i]; + + if ((c >= 'a' && c <= 'z') || + (c >= 'A' && c <= 'Z') || + (c >= '0' && c <= '9') || + (c == '.' && i - offset != 0) || + c == '-' || c == '_' || + c == ' ') dup[i - offset] = dup[i]; - else if (dup[i] == ' ') - dup[i - offset] = '_'; else offset++; }