diff options
author | Daniel Kamil Kozar <dkk089@gmail.com> | 2017-09-29 18:48:51 +0200 |
---|---|---|
committer | Daniel Kamil Kozar <dkk089@gmail.com> | 2017-09-29 18:48:51 +0200 |
commit | 56e04700db3ca4a4eedf375c87418610777806fd (patch) | |
tree | 549b8a02629f70b78814664b02cb980875dc378e | |
parent | 4e0d38dec2c9bd84cd88ff2039c93522af884974 (diff) | |
download | pidgin-56e04700db3ca4a4eedf375c87418610777806fd.tar.gz |
Add unit tests for xdg-open URI escaping
Move the implementation of xdg-open URI escaping to a separate function
called purple_uri_escape_for_open and add a unit test for it.
-rw-r--r-- | libpurple/tests/test_util.c | 22 | ||||
-rw-r--r-- | libpurple/util.c | 11 | ||||
-rw-r--r-- | libpurple/util.h | 11 | ||||
-rw-r--r-- | pidgin/gtknotify.c | 8 |
4 files changed, 45 insertions, 7 deletions
diff --git a/libpurple/tests/test_util.c b/libpurple/tests/test_util.c index 303a056117..4239d9312c 100644 --- a/libpurple/tests/test_util.c +++ b/libpurple/tests/test_util.c @@ -232,6 +232,24 @@ START_TEST(test_strdup_withhtml) } END_TEST +START_TEST(test_uri_escape_for_open) +{ + /* make sure shell stuff is escaped... */ + gchar *result = purple_uri_escape_for_open("https://$(xterm)"); + assert_string_equal_free("https://%24%28xterm%29", result); + + result = purple_uri_escape_for_open("https://`xterm`"); + assert_string_equal_free("https://%60xterm%60", result); + + result = purple_uri_escape_for_open("https://$((25 + 13))"); + assert_string_equal_free("https://%24%28%2825%20+%2013%29%29", result); + + /* ...but keep brackets so that ipv6 links can be opened. */ + result = purple_uri_escape_for_open("https://[123:4567:89a::::]"); + assert_string_equal_free("https://[123:4567:89a::::]", result); +} +END_TEST + Suite * util_suite(void) { @@ -284,5 +302,9 @@ util_suite(void) tcase_add_test(tc, test_strdup_withhtml); suite_add_tcase(s, tc); + tc = tcase_create("escape_uri_for_open"); + tcase_add_test(tc, test_uri_escape_for_open); + suite_add_tcase(s, tc); + return s; } diff --git a/libpurple/util.c b/libpurple/util.c index 044a7acff0..ba7ad4b152 100644 --- a/libpurple/util.c +++ b/libpurple/util.c @@ -4583,6 +4583,17 @@ purple_uri_list_extract_filenames(const gchar *uri_list) return result; } +char * +purple_uri_escape_for_open(const char *unescaped) +{ + /* Replace some special characters like $ with their percent-encoded value. + * This shouldn't be necessary because we shell-escape the entire arg before + * exec'ing the browser, however, we had a report that a URL containing + * $(xterm) was causing xterm to start on his system. This is obviously a + * bug on his system, but it's pretty easy for us to protect against it. */ + return g_uri_escape_string(unescaped, "[]:;/%#,+?=&@", FALSE); +} + /************************************************************************** * UTF8 String Functions **************************************************************************/ diff --git a/libpurple/util.h b/libpurple/util.h index ede673e19e..d7ae1957ca 100644 --- a/libpurple/util.h +++ b/libpurple/util.h @@ -1330,6 +1330,17 @@ GList *purple_uri_list_extract_uris(const gchar *uri_list); */ GList *purple_uri_list_extract_filenames(const gchar *uri_list); +/** + * This function escapes any characters that might be interpreted by the shell + * when executing a program to open a URI on some systems. + * + * @param unescaped The unescaped URI. + * + * @return A newly allocated string with any shell metacharacters replaced with + * their escaped equivalents. + */ +char *purple_uri_escape_for_open(const char *unescaped); + /*@}*/ /************************************************************************** diff --git a/pidgin/gtknotify.c b/pidgin/gtknotify.c index f23a8ffee8..25dc2ac4ac 100644 --- a/pidgin/gtknotify.c +++ b/pidgin/gtknotify.c @@ -1284,13 +1284,7 @@ pidgin_notify_uri(const char *uri) GSList *argv = NULL, *argv_remote = NULL; gchar **usercmd_argv = NULL; - /* Replace some special characters like $ with their percent-encoded - value. This shouldn't be necessary because we shell-escape the entire - arg before exec'ing the browser, however, we had a report that a URL - containing $(xterm) was causing xterm to start on his system. This is - obviously a bug on his system, but it's pretty easy for us to protect - against it. */ - uri_escaped = g_uri_escape_string(uri, "[]:;/%#,+?=&@", FALSE); + uri_escaped = purple_uri_escape_for_open(uri); web_browser = purple_prefs_get_string(PIDGIN_PREFS_ROOT "/browsers/browser"); |