Merge branch 'master' of https://github.com/PolarisSS13/Polaris into polaris-sync-2018-03-15

# Conflicts:
#	README.md
#	code/__defines/mobs.dm
#	code/__defines/subsystems.dm
#	code/_helpers/global_lists.dm
#	code/controllers/subsystems/garbage.dm
#	code/controllers/subsystems/overlays.dm
#	code/datums/datacore.dm
#	code/datums/supplypacks/munitions.dm
#	code/game/machinery/suit_storage_unit.dm
#	code/game/objects/items/devices/communicator/UI.dm
#	code/game/objects/items/weapons/id cards/station_ids.dm
#	code/game/objects/random/random.dm
#	code/game/turfs/simulated/floor.dm
#	code/game/turfs/simulated/floor_icon.dm
#	code/modules/awaymissions/gateway.dm
#	code/modules/client/preferences.dm
#	code/modules/ext_scripts/python.dm
#	code/modules/mob/living/carbon/human/human.dm
#	code/modules/mob/living/carbon/human/life.dm
#	code/modules/mob/living/carbon/human/species/station/station.dm
#	code/modules/mob/living/carbon/human/species/virtual_reality/avatar.dm
#	code/modules/mob/living/carbon/human/update_icons.dm
#	code/modules/mob/living/living.dm
#	code/modules/mob/living/living_defines.dm
#	code/modules/mob/living/simple_animal/animals/bear.dm
#	code/modules/mob/mob_helpers.dm
#	code/modules/mob/new_player/new_player.dm
#	code/modules/mob/new_player/preferences_setup.dm
#	code/modules/mob/new_player/sprite_accessories.dm
#	code/modules/organs/organ_external.dm
#	code/modules/organs/organ_icon.dm
#	code/modules/organs/robolimbs.dm
#	code/modules/reagents/reagent_containers/glass.dm
#	code/modules/reagents/reagent_containers/syringes.dm
#	html/changelogs/.all_changelog.yml
#	maps/southern_cross/southern_cross-1.dmm
#	maps/southern_cross/southern_cross-3.dmm
#	maps/southern_cross/southern_cross-4.dmm
#	maps/southern_cross/southern_cross-6.dmm
#	vorestation.dme

code/modules/ext_scripts/irc.dm

@@ -2,7 +2,7 @@
 	return  // VOREStation Edit - Can't exploit shell if we never call shell!
 	if (config.use_irc_bot)
 		if (config.use_node_bot)
-			shell("node bridge.js -h \"[config.irc_bot_host]\" -p \"[config.irc_bot_port]\" -c \"[channel]\" -m \"[msg]\"")
+			shell("node bridge.js -h \"[config.irc_bot_host]\" -p \"[config.irc_bot_port]\" -c \"[channel]\" -m \"[escape_shell_arg(msg)]\"")
 		else
 			if (config.irc_bot_host)
 				if(config.irc_bot_export)
@@ -17,10 +17,10 @@
 							nudge_lib = "lib/nudge.so"
 
 						spawn(0)
-							call(nudge_lib, "nudge")("[config.comms_password]","[config.irc_bot_host]","[channel]","[msg]")
+							call(nudge_lib, "nudge")("[config.comms_password]","[config.irc_bot_host]","[channel]","[escape_shell_arg(msg)]")
 					else
 						spawn(0)
-							ext_python("ircbot_message.py", "[config.comms_password] [config.irc_bot_host] [channel] [msg]")
+							ext_python("ircbot_message.py", "[config.comms_password] [config.irc_bot_host] [channel] [escape_shell_arg(msg)]")
 	return
 
 /proc/send2mainirc(var/msg)

code/modules/ext_scripts/python.dm

@@ -1,10 +1,28 @@
+// Ported from /vg/.
+/proc/escape_shell_arg(var/arg)
+	// RCE prevention
+	// - Encloses arg in single quotes
+	// - Escapes single quotes
+	// Also escapes %, ! on windows
+	if(world.system_type == MS_WINDOWS)
+		arg = replacetext(arg, "^", "^^") // Escape char
+		arg = replacetext(arg, "%", "%%") // %PATH% -> %%PATH%%
+		arg = replacetext(arg, "!", "^!") // !PATH!, delayed variable expansion on Windows
+		arg = replacetext(arg, "\"", "^\"")
+		arg = "\"[arg]\""
+	else
+		arg = replacetext(arg, "\\", "\\\\'") // Escape char
+		arg = replacetext(arg, "'", "\\'")    // No breaking out of the single quotes.
+		arg = "'[arg]'"
+	return arg
+
 /proc/ext_python(var/script, var/args, var/scriptsprefix = 1)
 	return  // VOREStation Edit - Can't exploit shell if we never call shell!
-	if(scriptsprefix) script = "scripts/" + script
+	if(scriptsprefix)
+		script = "scripts/" + script
 
 	if(world.system_type == MS_WINDOWS)
 		script = replacetext(script, "/", "\\")
 
 	var/command = config.python_path + " " + script + " " + args
-
-	return shell(command)
+	return shell(command)