Properly deal with quotes in the arguments of '#exec' includes.

(closes issue #15583) Reported by: pkempgen Patches: 20090726__issue15583.diff.txt uploaded by tilghman (license 14) 20090726__issue15583-1.4-4.diff.txt uploaded by pkempgen (license 169) Tested by: pkempgen git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@219023 65c4cc65-6c06-0410-ace0-fbb531ad65f3
2025-10-07 13:49:18 +00:00 · 2009-09-16 23:21:53 +00:00
parent 6913d06d19
commit d28e69ad5d
2 changed files with 23 additions and 9 deletions
--- a/configs/extensions.conf.sample
+++ b/configs/extensions.conf.sample
@@ -73,6 +73,8 @@ clearglobalvars=no
 ; that includes contexts within other contexts. The #include command works
 ; in all asterisk configuration files.
 ;#include "filename.conf"
+;#include <filename.conf>
+;#include filename.conf
 ;
 ; You can execute a program or script that produces config files, and they
 ; will be inserted where you insert the #exec command. The #exec command 
@@ -80,6 +82,9 @@ clearglobalvars=no
 ; activate them within asterisk.conf with the "execincludes" option.  They
 ; are otherwise considered a security risk.
 ;#exec /opt/bin/build-extra-contexts.sh
+;#exec /opt/bin/build-extra-contexts.sh --foo="bar"
+;#exec </opt/bin/build-extra-contexts.sh --foo="bar">
+;#exec "/opt/bin/build-extra-contexts.sh --foo=\"bar\""
 ;

 ; The "Globals" category contains global variables that can be referenced
--- a/main/config.c
+++ b/main/config.c
@@ -717,16 +717,25 @@ static int process_text_line(struct ast_config *cfg, struct ast_category **cat,
 		}
 		if (do_include || do_exec) {
 			if (c) {
-				/* Strip off leading and trailing "'s and <>'s */
-				while((*c == '<') || (*c == '>') || (*c == '\"')) c++;
-				/* Get rid of leading mess */
 				cur = c;
-				while (!ast_strlen_zero(cur)) {
-					c = cur + strlen(cur) - 1;
-					if ((*c == '>') || (*c == '<') || (*c == '\"'))
-						*c = '\0';
-					else
-						break;
+				/* Strip off leading and trailing "'s and <>'s */
+				if (*c == '"') {
+					/* Dequote */
+					while (*c) {
+						if (*c == '"') {
+							strcpy(c, c + 1); /* SAFE */
+							c--;
+						} else if (*c == '\\') {
+							strcpy(c, c + 1); /* SAFE */
+						}
+						c++;
+					}
+				} else if (*c == '<') {
+					/* C-style include */
+					if (*(c + strlen(c) - 1) == '>') {
+						cur++;
+						*(c + strlen(c) - 1) = '\0';
+					}
 				}
 				/* #exec </path/to/executable>
 				   We create a tmp file, then we #include it, then we delete it. */