From ce79121d27555dc8ad43b5db49a35db83a01a0b8 Mon Sep 17 00:00:00 2001 From: Philippe Nunes Date: Tue, 28 Aug 2012 15:32:41 +0200 Subject: stkagent: Sanitize any output from the agent --- src/stkagent.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 53 insertions(+), 3 deletions(-) (limited to 'src/stkagent.c') diff --git a/src/stkagent.c b/src/stkagent.c index af5d762f..4bd39b86 100644 --- a/src/stkagent.c +++ b/src/stkagent.c @@ -59,6 +59,9 @@ struct stk_agent { DBusPendingCall *call; void *user_cb; void *user_data; + int min_length; + int max_length; + ofono_bool_t hidden_entry; ofono_destroy_func user_destroy; const struct stk_menu *request_selection_menu; @@ -539,14 +542,24 @@ static void get_digit_cb(DBusPendingCall *call, void *data) if (dbus_message_get_args(reply, NULL, DBUS_TYPE_STRING, &digit, - DBUS_TYPE_INVALID) == FALSE || - strlen(digit) != 1 || - !valid_phone_number_format(digit)) { + DBUS_TYPE_INVALID) == FALSE) { ofono_error("Can't parse the reply to GetDigit()"); remove_agent = TRUE; goto error; } + if (strlen(digit) != 1 || !strspn(digit, "0123456789*#+")) { + ofono_error("Invalid character"); + remove_agent = TRUE; + goto error; + } + + if (agent->hidden_entry && digit[0] == '+') { + ofono_error("The character + is not allowed in this mode"); + remove_agent = TRUE; + goto error; + } + cb(result, digit, agent->user_data); CALLBACK_END(); @@ -578,6 +591,7 @@ int stk_agent_request_digit(struct stk_agent *agent, const char *text, agent->user_cb = cb; agent->user_data = user_data; agent->user_destroy = destroy; + agent->hidden_entry = FALSE; dbus_pending_call_set_notify(agent->call, get_digit_cb, agent, NULL); @@ -610,6 +624,7 @@ int stk_agent_request_quick_digit(struct stk_agent *agent, const char *text, agent->user_cb = cb; agent->user_data = user_data; agent->user_destroy = destroy; + agent->hidden_entry = TRUE; dbus_pending_call_set_notify(agent->call, get_digit_cb, agent, NULL); @@ -692,6 +707,7 @@ static void get_digits_cb(DBusPendingCall *call, void *data) enum stk_agent_result result; gboolean remove_agent; char *string; + int len, span; if (check_error(agent, reply, ALLOWED_ERROR_GO_BACK | ALLOWED_ERROR_TERMINATE, @@ -713,6 +729,25 @@ static void get_digits_cb(DBusPendingCall *call, void *data) goto error; } + len = strlen(string); + + if (len < agent->min_length || len > agent->max_length) { + ofono_error("Length not acceptable"); + remove_agent = TRUE; + goto error; + } + + if (agent->hidden_entry) + span = strspn(string, "0123456789*#"); + else + span = strspn(string, "0123456789*#+"); + + if (span != len) { + ofono_error("Invalid character found"); + remove_agent = TRUE; + goto error; + } + cb(result, string, agent->user_data); CALLBACK_END(); @@ -756,6 +791,9 @@ int stk_agent_request_digits(struct stk_agent *agent, const char *text, agent->user_cb = cb; agent->user_data = user_data; agent->user_destroy = destroy; + agent->min_length = min_val; + agent->max_length = max_val; + agent->hidden_entry = hidden_val; dbus_pending_call_set_notify(agent->call, get_digits_cb, agent, NULL); @@ -770,6 +808,7 @@ static void get_input_cb(DBusPendingCall *call, void *data) enum stk_agent_result result; gboolean remove_agent; char *string; + int len; if (check_error(agent, reply, ALLOWED_ERROR_GO_BACK | ALLOWED_ERROR_TERMINATE, @@ -791,6 +830,14 @@ static void get_input_cb(DBusPendingCall *call, void *data) goto error; } + len = g_utf8_strlen(string, -1); + + if (len < agent->min_length || len > agent->max_length) { + ofono_error("Length not acceptable"); + remove_agent = TRUE; + goto error; + } + cb(result, string, agent->user_data); CALLBACK_END(); @@ -835,6 +882,9 @@ int stk_agent_request_input(struct stk_agent *agent, const char *text, agent->user_cb = cb; agent->user_data = user_data; agent->user_destroy = destroy; + agent->min_length = min_val; + agent->max_length = max_val; + agent->hidden_entry = hidden_val; dbus_pending_call_set_notify(agent->call, get_input_cb, agent, NULL); -- cgit v1.2.3