mirror of
https://github.com/CHOMPStation2/CHOMPStation2.git
synced 2025-12-11 02:34:00 +00:00
a0de41f24f
# Conflicts: # README.md # code/__defines/mobs.dm # code/__defines/subsystems.dm # code/_helpers/global_lists.dm # code/controllers/subsystems/garbage.dm # code/controllers/subsystems/overlays.dm # code/datums/datacore.dm # code/datums/supplypacks/munitions.dm # code/game/machinery/suit_storage_unit.dm # code/game/objects/items/devices/communicator/UI.dm # code/game/objects/items/weapons/id cards/station_ids.dm # code/game/objects/random/random.dm # code/game/turfs/simulated/floor.dm # code/game/turfs/simulated/floor_icon.dm # code/modules/awaymissions/gateway.dm # code/modules/client/preferences.dm # code/modules/ext_scripts/python.dm # code/modules/mob/living/carbon/human/human.dm # code/modules/mob/living/carbon/human/life.dm # code/modules/mob/living/carbon/human/species/station/station.dm # code/modules/mob/living/carbon/human/species/virtual_reality/avatar.dm # code/modules/mob/living/carbon/human/update_icons.dm # code/modules/mob/living/living.dm # code/modules/mob/living/living_defines.dm # code/modules/mob/living/simple_animal/animals/bear.dm # code/modules/mob/mob_helpers.dm # code/modules/mob/new_player/new_player.dm # code/modules/mob/new_player/preferences_setup.dm # code/modules/mob/new_player/sprite_accessories.dm # code/modules/organs/organ_external.dm # code/modules/organs/organ_icon.dm # code/modules/organs/robolimbs.dm # code/modules/reagents/reagent_containers/glass.dm # code/modules/reagents/reagent_containers/syringes.dm # html/changelogs/.all_changelog.yml # maps/southern_cross/southern_cross-1.dmm # maps/southern_cross/southern_cross-3.dmm # maps/southern_cross/southern_cross-4.dmm # maps/southern_cross/southern_cross-6.dmm # vorestation.dme
28 lines
983 B
Plaintext
28 lines
983 B
Plaintext
// Ported from /vg/.
|
|
/proc/escape_shell_arg(var/arg)
|
|
// RCE prevention
|
|
// - Encloses arg in single quotes
|
|
// - Escapes single quotes
|
|
// Also escapes %, ! on windows
|
|
if(world.system_type == MS_WINDOWS)
|
|
arg = replacetext(arg, "^", "^^") // Escape char
|
|
arg = replacetext(arg, "%", "%%") // %PATH% -> %%PATH%%
|
|
arg = replacetext(arg, "!", "^!") // !PATH!, delayed variable expansion on Windows
|
|
arg = replacetext(arg, "\"", "^\"")
|
|
arg = "\"[arg]\""
|
|
else
|
|
arg = replacetext(arg, "\\", "\\\\'") // Escape char
|
|
arg = replacetext(arg, "'", "\\'") // No breaking out of the single quotes.
|
|
arg = "'[arg]'"
|
|
return arg
|
|
|
|
/proc/ext_python(var/script, var/args, var/scriptsprefix = 1)
|
|
return // VOREStation Edit - Can't exploit shell if we never call shell!
|
|
if(scriptsprefix)
|
|
script = "scripts/" + script
|
|
|
|
if(world.system_type == MS_WINDOWS)
|
|
script = replacetext(script, "/", "\\")
|
|
|
|
var/command = config.python_path + " " + script + " " + args
|
|
return shell(command) |