From 66fb96a7c8842a1a5a44a95fadcec9e4c6b9b78e Mon Sep 17 00:00:00 2001 From: Bruno Raoult Date: Wed, 10 Aug 2022 22:08:29 +0200 Subject: [PATCH] gen-password: fix unsanitized strings for yad --- bash/gen-password.sh | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/bash/gen-password.sh b/bash/gen-password.sh index f601362..64af5cb 100755 --- a/bash/gen-password.sh +++ b/bash/gen-password.sh @@ -210,11 +210,25 @@ check_dict() { return 0 } +# sanitize() - sanitize string for HTML characters +# $1: string to cleanup +# +# @return: 0, $1 will contain the sanitized string +sanitize() { + local str="$1" + + str=${str//&/&} + str=${str///>} + str=${str//'"'/"} + log "sanitized string: '%s' -> '%s'" "$1" "$str" + printf -- "%str" "$str" +} # srandom() - use RANDOM to simulate SRANDOM # $1: Reference of variable to hold result # -# Note: RANDOM is 15 bits, SRANDOM is 15 bits. +# Note: RANDOM is 15 bits, SRANDOM is 32 bits. # # @return: 0, $1 will contain the 32 bits random number srandom() { @@ -305,12 +319,12 @@ rnd_charset() { local charset="$1" ret="" local -i len=$2 _i - log "rnd_charset: %d from '%s'" "$len" "$charset" + #log "rnd_charset: %d from '%s'" "$len" "$charset" for ((_i=0; _i n)) && log "truncating '%s' to '%s'" "$str" "${str:0:n}" printf "%s" "${str:0:n}" @@ -473,11 +488,12 @@ print_command() { # @return: 0 gui_passwd() { local -a _command=("$@") - local passwd="" res=0 + local passwd="" res=0 sane="" while passwd=$("${_command[@]}") - yad --title="Password Generator" --text-align=center --text="$passwd" \ + sane=$(sanitize "$passwd") + yad --title="Password Generator" --text-align=center --text="$sane" \ --borders=20 --button=gtk-copy:0 --button=gtk-refresh:1 \ --button=gtk-ok:252 --window-icon=dialog-password res=$?