cyberpresidentvanellope/CHOMPStation2
1
0
Fork 0
mirror of https://github.com/CHOMPStation2/CHOMPStation2.git synced 2025-12-10 02:09:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
46c940fbdffe23d1e0935758914a3a702b0a4cab
CHOMPStation2/code/modules/ext_scripts/python.dm
CHOMPStation2StaffMirrorBot 46c940fbdf [MIRROR] Fix a bunch of issues and runtimes (#11145) 
Co-authored-by: Kashargul <144968721+Kashargul@users.noreply.github.com>
2025-07-05 21:47:08 +02:00

31 lines
1.0 KiB
Plaintext
Raw Blame History

// Ported from /vg/.
/proc/escape_shell_arg(var/arg)
// RCE prevention
// - Encloses arg in single quotes
// - Escapes single quotes
// Also escapes %, ! on windows
if(world.system_type == MS_WINDOWS)
arg = replacetext(arg, "^", "^^") // Escape char
arg = replacetext(arg, "%", "%%") // %PATH% -> %%PATH%%
arg = replacetext(arg, "!", "^!") // !PATH!, delayed variable expansion on Windows
arg = replacetext(arg, "\"", "^\"")
arg = "\"[arg]\""
else
arg = replacetext(arg, "\\", "\\\\'") // Escape char
arg = replacetext(arg, "'", "\\'") // No breaking out of the single quotes.
arg = "'[arg]'"
return arg
/proc/ext_python(var/script, var/arguments, var/scriptsprefix = 1)
return // VOREStation Edit - Can't exploit shell if we never call shell!
/* Unreachable with above vorestation edit
if(scriptsprefix)
script = "scripts/" + script
if(world.system_type == MS_WINDOWS)
script = replacetext(script, "/", "\\")
var/command = CONFIG_GET(string/python_path) + " " + script + " " + arguments
return shell(command)
*/
Reference in New Issue View Git Blame Copy Permalink