mirror of
https://github.com/VOREStation/VOREStation.git
synced 2026-03-24 04:33:23 +00:00
3735a31e05
* selection target * ugh * fix deadmin * larger * fix paper icons * those are inverted * don't miss that * fix all * point transfer * add nostrip flag to items * un.... teppi * . * end life proc after qdel * this could be null in very rare cases * this has a lot of sleeps, someday should be refactored and check for qdeleted * needs to be an object * qdel check this * use the rsc properly * wtf? * . * fix narrate * . * push * inform user, null it * . * can be null * fix maint lurkers * . * spans * . * fix that too * urg * fix distillery * don't wrap them * needs usr * Update cash_register.dm * quick hook cleanup * lots of fixes * . * clean that up for reasons
31 lines
1.0 KiB
Plaintext
31 lines
1.0 KiB
Plaintext
// Ported from /vg/.
|
|
/proc/escape_shell_arg(var/arg)
|
|
// RCE prevention
|
|
// - Encloses arg in single quotes
|
|
// - Escapes single quotes
|
|
// Also escapes %, ! on windows
|
|
if(world.system_type == MS_WINDOWS)
|
|
arg = replacetext(arg, "^", "^^") // Escape char
|
|
arg = replacetext(arg, "%", "%%") // %PATH% -> %%PATH%%
|
|
arg = replacetext(arg, "!", "^!") // !PATH!, delayed variable expansion on Windows
|
|
arg = replacetext(arg, "\"", "^\"")
|
|
arg = "\"[arg]\""
|
|
else
|
|
arg = replacetext(arg, "\\", "\\\\'") // Escape char
|
|
arg = replacetext(arg, "'", "\\'") // No breaking out of the single quotes.
|
|
arg = "'[arg]'"
|
|
return arg
|
|
|
|
/proc/ext_python(var/script, var/arguments, var/scriptsprefix = 1)
|
|
return // VOREStation Edit - Can't exploit shell if we never call shell!
|
|
/* Unreachable with above vorestation edit
|
|
if(scriptsprefix)
|
|
script = "scripts/" + script
|
|
|
|
if(world.system_type == MS_WINDOWS)
|
|
script = replacetext(script, "/", "\\")
|
|
|
|
var/command = config.python_path + " " + script + " " + arguments
|
|
return shell(command)
|
|
*/
|