hysteria

ii wrapper script
git clone git://git.2f30.org/hysteria.git
Log | Files | Refs | README | LICENSE

commit d95c6125eef60ed5a3bb24db1d77bc140330ee85
parent dd66b78a8a2760cdbb19e6f7c93b35bb3f1ec194
Author: guysv <sviryguy@gmail.com>
Date:   Sat, 14 Dec 2019 23:16:55 +0200

pass args as env-vars to new windows

before this commit specially crafted user/channel could
escape the `tmux new-window` command, and inject commands
on their own. fortunately, ii normalizes file names and
escapes dangerous characters, so no real harm can be done.
this is now mitigated at our scope.

Diffstat:
Mhysteria-monitor | 7++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/hysteria-monitor b/hysteria-monitor @@ -42,9 +42,10 @@ while :; do if test x"${inputcmd}" = x""; then inputcmd='cat >> "$INFILE"' fi - tmux new-window "tail -f '$OUTFILE' | hysteria-highlight -n '($nick)' -w '($nick)'" - tmux split-window -v -p 1 "tmux resize-pane -y 2; \ - CHAN='$CHAN' INFILE='$INFILE' OUTFILE='$OUTFILE' eval '$inputcmd'" + # arguments are passed as environment variables to mitigate possible shell injections + tmux new-window -e "OUTFILE=$OUTFILE" -e "nick=$nick" 'tail -f "$OUTFILE" | hysteria-highlight -n "($nick)" -w "($nick)"' + tmux split-window -v -p 1 -e "CHAN=$CHAN" -e "INFILE=$INFILE" -e "OUTFILE=$OUTFILE" -e "inputcmd=$inputcmd" \ + 'tmux resize-pane -y 2; CHAN="$CHAN" INFILE="$INFILE" OUTFILE="$OUTFILE" eval "$inputcmd"' tmux rename-window "$title" fi done