MeshCentral/MeshAgent
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshAgent synced 2025-12-15 15:53:55 +00:00
Code Issues Releases Wiki Activity

1. Fixed compiler warnings for PAC related code

Browse Source 
2. Updated clipboard helper, to fix compiler warning in generated code
3. Updated message-box to sanitize input values to prevent possible exploit
This commit is contained in:
Bryan Roe
2022-01-03 19:22:14 -08:00
parent 3a10fa34d2
commit 20312bf5d6
4 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
microscript/ILibDuktape_Polyfills.c
View File

File diff suppressed because one or more lines are too long

5
microscript/ILibDuktape_ScriptContainer.c
View File

@@ -2709,7 +2709,7 @@ duk_ret_t ILibDuktape_PAC_Impl(duk_context *ctx)
duk_push_sprintf(ex, "FindProxyForURL('%s', '%s');", url, addr);
if (duk_peval(ex) != 0)
{
sprintf_s(ILibScratchPad, sizeof(ILibScratchPad), duk_safe_to_string(ex, -1));
sprintf_s(ILibScratchPad, sizeof(ILibScratchPad), (char*)duk_safe_to_string(ex, -1));
duk_pop(ex);
return(ILibDuktape_Error(ctx, "Error: %s", ILibScratchPad));
}
@@ -2760,7 +2760,7 @@ duk_ret_t ILibDuktape_PAC_Create(duk_context *ctx)
duk_pop(ex);
char *pac = NULL;
pac[ILibBase64Decode("LyoNCkNvcHlyaWdodCAyMDIxIEludGVsIENvcnBvcmF0aW9uDQpAYXV0aG9yIEJyeWFuIFJvZQ0KDQpMaWNlbnNlZCB1bmRlciB0aGUgQXBhY2hlIExpY2Vuc2UsIFZlcnNpb24gMi4wICh0aGUgIkxpY2Vuc2UiKTsNCnlvdSBtYXkgbm90IHVzZSB0aGlzIGZpbGUgZXhjZXB0IGluIGNvbXBsaWFuY2Ugd2l0aCB0aGUgTGljZW5zZS4NCllvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdA0KDQogICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wDQoNClVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvciBhZ3JlZWQgdG8gaW4gd3JpdGluZywgc29mdHdhcmUNCmRpc3RyaWJ1dGVkIHVuZGVyIHRoZSBMaWNlbnNlIGlzIGRpc3RyaWJ1dGVkIG9uIGFuICJBUyBJUyIgQkFTSVMsDQpXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4NClNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZyBwZXJtaXNzaW9ucyBhbmQNCmxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLg0KKi8NCg0KDQoNCi8vIEV2YWx1YXRlcyBob3N0bmFtZXMgYW5kIHJldHVybnMgdHJ1ZSBpZiBob3N0bmFtZXMgbWF0Y2gNCmZ1bmN0aW9uIGRuc0RvbWFpbklzKHRhcmdldCwgaG9zdCkNCnsNCiAgICBpZighaG9zdC5zdGFydHNXaXRoKCcuJykpDQogICAgew0KICAgICAgICBob3N0ID0gJy4nICsgaG9zdDsNCiAgICB9DQogICAgcmV0dXJuICh0YXJnZXQudG9Mb3dlckNhc2UoKS5lbmRzV2l0aChob3N0LnRvTG93ZXJDYXNlKCkpKTsNCn0NCg0KLy8gbWF0Y2ggaG9zdG5hbWUgb3IgVVJMIHRvIGEgc3BlY2lmaWVkIHNoZWxsIGV4cHJlc3Npb24sICByZXR1cm5zIHRydWUgaWYgbWF0Y2hlZA0KZnVuY3Rpb24gc2hFeHBNYXRjaChob3N0LCBleHApDQp7DQogICAgZXhwID0gZXhwLnNwbGl0KCcuJykuam9pbignXFwuJyk7DQogICAgZXhwID0gZXhwLnNwbGl0KCc/Jykuam9pbignLicpOw0KICAgIGV4cCA9IGV4cC5zcGxpdCgnKicpLmpvaW4oJy4qJyk7DQogICAgZXhwID0gJ14nICsgZXhwICsgJyQnOw0KICAgIHJldHVybiAoaG9zdC5zZWFyY2goZXhwKSA+PSAwKTsNCn0NCg0KLy8gZXZhbHVhdGVzIHRoZSBJUCBhZGRyZXNzIG9mIGEgaG9zdG5hbWUsIGFuZCBpZiB3aXRoaW4gYSBzcGVjaWZpZWQgc3VibmV0IHJldHVybnMgdHJ1ZQ0KZnVuY3Rpb24gaXNJbk5ldCh0YXJnZXQsIGFkZHJlc3MsIG1hc2spDQp7DQogICAgdHJ5DQogICAgew0KICAgICAgICB2YXIgZGVzdEFkZHIgPSByZXNvbHZlKHRhcmdldCkuX2ludGVnZXJzWzBdOw0KICAgICAgICB2YXIgbWFza0FkZHIgPSByZXNvbHZlKG1hc2spLl9pbnRlZ2Vyc1swXTsNCiAgICAgICAgcmV0dXJuIChfaXB2NEZyb20oZGVzdEFkZHIgJiBtYXNrQWRkcikgPT0gYWRkcmVzcyk7DQogICAgfQ0KICAgIGNhdGNoKGUpDQogICAgew0KICAgICAgICByZXR1cm4gKGZhbHNlKTsNCiAgICB9DQp9DQoNCi8vIGxvY2FsIGhvc3QgYWRkcmVzcw0KZnVuY3Rpb24gbXlJcEFkZHJlc3MoKQ0Kew0KDQp9DQoNCi8vIHJlc29sdmUgaG9zdCBuYW1lIHRvIGFkZHJlc3MNCmZ1bmN0aW9uIGRuc1Jlc29sdmUoaG9zdCkNCnsNCiAgICB2YXIgcmVzdWx0ID0gcmVzb2x2ZShob3N0KTsNCiAgICBpZihyZXN1bHQubGVuZ3RoID09IDApDQogICAgew0KICAgICAgICByZXR1cm4gKCcnKTsNCiAgICB9DQogICAgZWxzZQ0KICAgIHsNCiAgICAgICAgcmV0dXJuIChyZXN1bHRbMF0pOw0KICAgIH0NCn0NCg0KLy8gcmV0dXJuIHRydWUgaWYgdGhlIGhvc3RuYW1lIGNvbnRhaW5zIG5vIGRvdHMNCmZ1bmN0aW9uIGlzUGxhaW5Ib3N0TmFtZShob3N0KQ0Kew0KICAgIHJldHVybiAoaG9zdC5pbmRleE9mKCcuJykgPCAwKTsNCn0NCg0KLy8gZXZhbHVhdGUgaG9zdG5hbWUgYW5kIHJldHVybiB0cnVlIElGRiBleGFjdCBtYXRjaA0KZnVuY3Rpb24gbG9jYWxIb3N0T3JEb21haW5Jcyh0YXJnZXQsIGhvc3QpDQp7DQogICAgcmV0dXJuIChkbnNSZXNvbHZlKHRhcmdldCkgPT0gaG9zdCk7DQp9DQoNCi8vIHJldHVybiB0cnVlIGlmIHJlc29sdmUgaXMgc3VjY2Vzc2Z1bA0KZnVuY3Rpb24gaXNSZXNvbHZhYmxlKGhvc3QpDQp7DQogICAgcmV0dXJuIChyZXNvbHZlKGhvc3QpLmxlbmd0aCA+IDApOw0KfQ0KDQovLyByZXR1cm5zIHRoZSBudW1iZXIgb2YgRE5TIGRvbWFpbiBsZXZlbHMgKG51bWJlciBvZiBkb3RzKSBpbiB0aGUgaG9zdG5hbWUNCmZ1bmN0aW9uIGRuc0RvbWFpbkxldmVscyhob3N0KQ0Kew0KICAgIHJldHVybiAoaG9zdC5zcGxpdCgnLicpLmxlbmd0aCAtIDEpOw0KfQ0KDQoNCmZ1bmN0aW9uIHdlZWtkYXlSYW5nZShzdGFydCwgZW5kKQ0Kew0KDQp9DQpmdW5jdGlvbiBkYXRlUmFuZ2Uoc3RhcnQsIGVuZCkNCnsNCg0KfQ0KZnVuY3Rpb24gdGltZVJhbmdlKHN0YXJ0LCBlbmQpDQp7DQoNCn0NCg0KZnVuY3Rpb24gYWxlcnQobXNnKQ0Kew0KDQp9DQoNCg==", 3356, &pac)] = 0;
pac[ILibBase64Decode((unsigned char*)"LyoNCkNvcHlyaWdodCAyMDIxIEludGVsIENvcnBvcmF0aW9uDQpAYXV0aG9yIEJyeWFuIFJvZQ0KDQpMaWNlbnNlZCB1bmRlciB0aGUgQXBhY2hlIExpY2Vuc2UsIFZlcnNpb24gMi4wICh0aGUgIkxpY2Vuc2UiKTsNCnlvdSBtYXkgbm90IHVzZSB0aGlzIGZpbGUgZXhjZXB0IGluIGNvbXBsaWFuY2Ugd2l0aCB0aGUgTGljZW5zZS4NCllvdSBtYXkgb2J0YWluIGEgY29weSBvZiB0aGUgTGljZW5zZSBhdA0KDQogICAgaHR0cDovL3d3dy5hcGFjaGUub3JnL2xpY2Vuc2VzL0xJQ0VOU0UtMi4wDQoNClVubGVzcyByZXF1aXJlZCBieSBhcHBsaWNhYmxlIGxhdyBvciBhZ3JlZWQgdG8gaW4gd3JpdGluZywgc29mdHdhcmUNCmRpc3RyaWJ1dGVkIHVuZGVyIHRoZSBMaWNlbnNlIGlzIGRpc3RyaWJ1dGVkIG9uIGFuICJBUyBJUyIgQkFTSVMsDQpXSVRIT1VUIFdBUlJBTlRJRVMgT1IgQ09ORElUSU9OUyBPRiBBTlkgS0lORCwgZWl0aGVyIGV4cHJlc3Mgb3IgaW1wbGllZC4NClNlZSB0aGUgTGljZW5zZSBmb3IgdGhlIHNwZWNpZmljIGxhbmd1YWdlIGdvdmVybmluZyBwZXJtaXNzaW9ucyBhbmQNCmxpbWl0YXRpb25zIHVuZGVyIHRoZSBMaWNlbnNlLg0KKi8NCg0KDQoNCi8vIEV2YWx1YXRlcyBob3N0bmFtZXMgYW5kIHJldHVybnMgdHJ1ZSBpZiBob3N0bmFtZXMgbWF0Y2gNCmZ1bmN0aW9uIGRuc0RvbWFpbklzKHRhcmdldCwgaG9zdCkNCnsNCiAgICBpZighaG9zdC5zdGFydHNXaXRoKCcuJykpDQogICAgew0KICAgICAgICBob3N0ID0gJy4nICsgaG9zdDsNCiAgICB9DQogICAgcmV0dXJuICh0YXJnZXQudG9Mb3dlckNhc2UoKS5lbmRzV2l0aChob3N0LnRvTG93ZXJDYXNlKCkpKTsNCn0NCg0KLy8gbWF0Y2ggaG9zdG5hbWUgb3IgVVJMIHRvIGEgc3BlY2lmaWVkIHNoZWxsIGV4cHJlc3Npb24sICByZXR1cm5zIHRydWUgaWYgbWF0Y2hlZA0KZnVuY3Rpb24gc2hFeHBNYXRjaChob3N0LCBleHApDQp7DQogICAgZXhwID0gZXhwLnNwbGl0KCcuJykuam9pbignXFwuJyk7DQogICAgZXhwID0gZXhwLnNwbGl0KCc/Jykuam9pbignLicpOw0KICAgIGV4cCA9IGV4cC5zcGxpdCgnKicpLmpvaW4oJy4qJyk7DQogICAgZXhwID0gJ14nICsgZXhwICsgJyQnOw0KICAgIHJldHVybiAoaG9zdC5zZWFyY2goZXhwKSA+PSAwKTsNCn0NCg0KLy8gZXZhbHVhdGVzIHRoZSBJUCBhZGRyZXNzIG9mIGEgaG9zdG5hbWUsIGFuZCBpZiB3aXRoaW4gYSBzcGVjaWZpZWQgc3VibmV0IHJldHVybnMgdHJ1ZQ0KZnVuY3Rpb24gaXNJbk5ldCh0YXJnZXQsIGFkZHJlc3MsIG1hc2spDQp7DQogICAgdHJ5DQogICAgew0KICAgICAgICB2YXIgZGVzdEFkZHIgPSByZXNvbHZlKHRhcmdldCkuX2ludGVnZXJzWzBdOw0KICAgICAgICB2YXIgbWFza0FkZHIgPSByZXNvbHZlKG1hc2spLl9pbnRlZ2Vyc1swXTsNCiAgICAgICAgcmV0dXJuIChfaXB2NEZyb20oZGVzdEFkZHIgJiBtYXNrQWRkcikgPT0gYWRkcmVzcyk7DQogICAgfQ0KICAgIGNhdGNoKGUpDQogICAgew0KICAgICAgICByZXR1cm4gKGZhbHNlKTsNCiAgICB9DQp9DQoNCi8vIHJlc29sdmUgaG9zdCBuYW1lIHRvIGFkZHJlc3MNCmZ1bmN0aW9uIGRuc1Jlc29sdmUoaG9zdCkNCnsNCiAgICB2YXIgcmVzdWx0ID0gcmVzb2x2ZShob3N0KTsNCiAgICBpZihyZXN1bHQubGVuZ3RoID09IDApDQogICAgew0KICAgICAgICByZXR1cm4gKCcnKTsNCiAgICB9DQogICAgZWxzZQ0KICAgIHsNCiAgICAgICAgcmV0dXJuIChyZXN1bHRbMF0pOw0KICAgIH0NCn0NCg0KLy8gcmV0dXJuIHRydWUgaWYgdGhlIGhvc3RuYW1lIGNvbnRhaW5zIG5vIGRvdHMNCmZ1bmN0aW9uIGlzUGxhaW5Ib3N0TmFtZShob3N0KQ0Kew0KICAgIHJldHVybiAoaG9zdC5pbmRleE9mKCcuJykgPCAwKTsNCn0NCg0KLy8gZXZhbHVhdGUgaG9zdG5hbWUgYW5kIHJldHVybiB0cnVlIElGRiBleGFjdCBtYXRjaA0KZnVuY3Rpb24gbG9jYWxIb3N0T3JEb21haW5Jcyh0YXJnZXQsIGhvc3QpDQp7DQogICAgcmV0dXJuIChkbnNSZXNvbHZlKHRhcmdldCkgPT0gaG9zdCk7DQp9DQoNCi8vIHJldHVybiB0cnVlIGlmIHJlc29sdmUgaXMgc3VjY2Vzc2Z1bA0KZnVuY3Rpb24gaXNSZXNvbHZhYmxlKGhvc3QpDQp7DQogICAgcmV0dXJuIChyZXNvbHZlKGhvc3QpLmxlbmd0aCA+IDApOw0KfQ0KDQovLyByZXR1cm5zIHRoZSBudW1iZXIgb2YgRE5TIGRvbWFpbiBsZXZlbHMgKG51bWJlciBvZiBkb3RzKSBpbiB0aGUgaG9zdG5hbWUNCmZ1bmN0aW9uIGRuc0RvbWFpbkxldmVscyhob3N0KQ0Kew0KICAgIHJldHVybiAoaG9zdC5zcGxpdCgnLicpLmxlbmd0aCAtIDEpOw0KfQ0KDQoNCmZ1bmN0aW9uIHdlZWtkYXlSYW5nZShzdGFydCwgZW5kKQ0Kew0KDQp9DQpmdW5jdGlvbiBkYXRlUmFuZ2Uoc3RhcnQsIGVuZCkNCnsNCg0KfQ0KZnVuY3Rpb24gdGltZVJhbmdlKHN0YXJ0LCBlbmQpDQp7DQoNCn0NCg0KZnVuY3Rpb24gYWxlcnQobXNnKQ0Kew0KDQp9DQo=", 3276, (unsigned char **)&pac)] = 0;
duk_peval_string_noresult(ex, pac);
free(pac);
@@ -2792,6 +2792,7 @@ duk_ret_t ILibDuktape_PAC_Create(duk_context *ctx)
duk_ret_t ILibDuktape_PAC_Find(duk_context *ctx)
{
duk_eval_string(ctx, "resolve('wpad');");
return(0);
}
void ILibDuktape_PAC_PUSH(duk_context *ctx, void *chain)
{

2
modules/clipboard.js
View File

@@ -90,7 +90,7 @@ function nativeBase64(name)
{
var value = Buffer.from(getJSModule(name)).toString('base64');
var ret = "char *" + name + " = NULL;\n";
ret += (name + '[ILibBase64Decode("' + value + '", ' + value.length + ', &' + name + ')] = 0;\n');
ret += (name + '[ILibBase64Decode((unsigned char*)"' + value + '", ' + value.length + ', (unsigned char **)&' + name + ')] = 0;\n');
ret += ('duk_peval_string_noresult(ex, ' + name + ');\n');
ret += ('free(' + name + ');\n');
module.exports(ret);

3
modules/message-box.js
View File

@@ -179,7 +179,6 @@ function messageBox()
}
}
function linux_messageBox()
{
this._ObjectID = 'message-box';
@@ -375,7 +374,7 @@ function linux_messageBox()
return (ret);
}
// GNOME/ZENITY
ret._options = { title: title.trim(), caption: caption.trim(), timeout: timeout, layout: layout, zenity: this.zenity };
ret._options = { title: title.trim().split('').join('\\'), caption: caption.trim().split('').join('\\'), timeout: timeout, layout: layout, zenity: this.zenity };
var parms = ['zenity'];
if (Array.isArray(layout))
{