Changeset b281379


Ignore:
Timestamp:
Oct 22, 2003, 4:27:44 PM (21 years ago)
Author:
jtwang <jtwang>
Branches:
master, debian, mac, no-cups, nodebathena, web
Children:
6761cd4
Parents:
bc5ca87
git-author:
jtwang <jtwang> (10/22/03 16:27:44)
git-committer:
jtwang <jtwang> (10/22/03 16:27:44)
Message:

Correct security problems with $uri being passed on the command lines
to w3m, mpg123, and ogg123, all of which via /bin/sh, and thus subject
to shell expansion, especially of shell metacharacters.

Replace them with open("-|") fork-exec machinery. Note that this
eliminates a previously required temporary file for mpg123/ogg123
output, but at the cost of some code-complexity. Perhaps the common
parts of the mpg123/ogg123 invokation should be factored out.

(log message from jhawk)

File:
1 edited

Legend:

Unmodified
Added
Removed

  • gutenbach/debian/lib/sipbmp3-filter

    rbc5ca87 rb281379  
    22# Play the data on STDIN as an audio file
    33#
    4 # $Id: sipbmp3-filter,v 1.8 2003-08-11 02:11:28 jhawk Exp $
     4# $Id: sipbmp3-filter,v 1.9 2003-10-22 20:27:44 jtwang Exp $
    55# $Source: /tmp/tmp.UFBNno9997/RCS/sipbmp3-filter,v $
    66#
     
    145145      if (<STDIN> =~ /^(\S*)\s*(.*)$/) {
    146146          $uri=$1;
    147           open(W3M, "/mit/sipb/bin/w3m -dump_head $uri|");
    148           $contenttype="unknown";
    149           while (<W3M>) {
    150               if ($_ =~ /^Content-Type:\s(\S*)/) {
    151                   $contenttype=$1;
     147          my $pid = open(W3M, "-|");
     148          unless (defined $pid) {
     149              print ZEPHYR "Couldn't fork: $!\n";
     150              close(ZEPHYR);
     151              return;
     152          }
     153
     154          if ($pid) { #parent
     155              $contenttype="unknown";
     156              while (<W3M>) {
     157                  if ($_ =~ /^Content-Type:\s(\S*)/) {
     158                      $contenttype=$1;
     159                  }
    152160              }
    153           }
    154              if ($contenttype eq "audio/mpeg") { $format="MP3" }
    155           elsif ($contenttype eq "application/x-ogg") { $format="OGG" }
    156           elsif ($contenttype eq "application/ogg") { $format="OGG" }
    157           else {
    158               print ZEPHYR "Unknown Content-Type $contenttype for URI $uri\n";
    159               close(ZEPHYR);
     161              if ($contenttype eq "audio/mpeg") { $format="MP3" }
     162              elsif ($contenttype eq "application/x-ogg") { $format="OGG" }
     163              elsif ($contenttype eq "application/ogg") { $format="OGG" }
     164              else {
     165                  print ZEPHYR "Unknown Content-Type $contenttype for URI $uri\n";
     166                  close(ZEPHYR);
     167              }
     168              close(W3M) || print ZEPHYR "w3m exited $?\n";
     169          }
     170          else { # child
     171              exec("/mit/sipb/bin/w3m","-dump_head",$uri) || die "Couldn't exec";
    160172          }
    161173      } else {
    162174        print ZEPHYR "Couldn't read URI for external reference\n";
    163175        close(ZEPHYR);
    164       }
     176    }
    165177  } else {
    166178      print ZEPHYR "Unknown syntax in play_external_reference(): $magic\n";
     
    207219  system("ps ax | grep mpg123 | awk '{print $2}' | xargs kill -9");
    208220  system("chmod a+rw /dev/audio");
    209   system("/mit/infoagents/bin/mpg123 -b 16384 -q $up $uri >/tmp/mpg123.out 2>&1");
    210 
    211   # Done. Status:
     221
     222  # Prepare to write status:
    212223  open(ZEPHYR, '|/usr/athena/bin/zwrite -d -n -c sipb-auto -i sipbmp3@xcb -s "SIPB LPR music spooler"');
    213 
    214   # Check if there were any errors
    215   open(MP3STATUS, "/tmp/mpg123.out");
    216   if ($_ = <MP3STATUS>) {
    217     print ZEPHYR "Playback completed with the following errors:\n";
    218     print ZEPHYR $_;
    219     while (<MP3STATUS>) {
    220       print ZEPHYR $_;
    221     }
    222   } else {
    223     print ZEPHYR "Playback completed successfully.\n";
    224   }
    225   close(MP3STATUS);
    226   unlink(MP3STATUS);
    227 
    228   close(ZEPHYR);
     224     
     225  # fork for mpg123
     226  my $pid = open(MP3STATUS, "-|");
     227  unless (defined $pid) {
     228      print ZEPHYR "Couldn't fork: $!\n";
     229      close(ZEPHYR);
     230      return;
     231  }
     232 
     233  if ($pid) { #parent
     234      # Check if there were any errors
     235      if ($_ = <MP3STATUS>) {
     236          print ZEPHYR "Playback completed with the following errors:\n";
     237          print ZEPHYR $_;
     238          while (<MP3STATUS>) {
     239              print ZEPHYR $_;
     240          }
     241      } else {
     242          print ZEPHYR "Playback completed successfully.\n";
     243      }
     244      close(MP3STATUS) || print ZEPHYR "mpg123 exited $?\n";
     245     
     246      close(ZEPHYR);
     247  }
     248  else { # child
     249      # redirect STDERR to STDOUT
     250      open STDERR, '>&STDOUT';
     251      exec("/mit/infoagents/bin/mpg123","-b16384","-q",$up,$uri) or die "Couldn't exec";
     252  }
    229253}
    230254
     
    407431  system("ps -aef | grep ogg123 | awk '{print $2}' | xargs kill -9");
    408432  system("ps -aef | grep mpg123 | awk '{print $2}' | xargs kill -9");
    409   system("/mit/sipb/bin/ogg123 -b 40000 -dau -q -f - $uri 2> /tmp/ogg123.out | audioplay");
    410 
    411   # Done. Status:
     433
     434  # Prepare to write status:
    412435  open(ZEPHYR, '|/usr/athena/bin/zwrite -d -n -c sipb-auto -i sipbmp3@xcb -s "SIPB LPR music spooler"');
    413436
    414   # Check if there were any errors
    415   open(OGGSTATUS, "/tmp/ogg123.out");
    416   if ($_ = <OGGSTATUS>) {
    417     print ZEPHYR "Playback completed with the following errors:\n";
    418     print ZEPHYR $_;
    419     while (<OGGSTATUS>) {
    420       print ZEPHYR $_;
    421     }
    422   } else {
    423     print ZEPHYR "Playback completed successfully.\n";
    424   }
    425   close(OGGSTATUS);
    426   unlink(OGGSTATUS);
    427 
    428   close(ZEPHYR);
    429 }
    430 
     437  # fork for ogg123
     438  my $pid = open(OGGSTATUS, "-|");
     439  unless (defined $pid) {
     440      print ZEPHYR "Couldn't fork: $!\n";
     441      close(ZEPHYR);
     442      return;
     443  }
     444  if ($pid) { # parent
     445      # Check if there were any errors
     446      if ($_ = <OGGSTATUS>) {
     447          print ZEPHYR "Playback completed with the following errors:\n";
     448          print ZEPHYR $_;
     449          while (<OGGSTATUS>) {
     450              print ZEPHYR $_;
     451          }
     452      } else {
     453          print ZEPHYR "Playback completed successfully.\n";
     454      }
     455      close(OGGSTATUS) || print ZEPHYR "ogg123 exited $?\n";
     456           
     457      close(ZEPHYR);
     458  }
     459  else { #child
     460      # redirect STDERR to STDOUT
     461      open STDERR, '>&STDOUT';
     462      exec("/mit/sipb/bin/ogg123","-b40000","-dau","-q","-f","-",$uri);
     463  }
     464}
    431465
    432466# Play an OggVorbis audio file
Note: See TracChangeset for help on using the changeset viewer.