Fix: security finding in issue #121.
Avoids shell injection by verifying that the supplied value is a file. Also allows for spaces in the file path, which probably fixes certaind devices that were crashing when trying to open logs.
This commit is contained in:
parent
f6622d2320
commit
7d95585c4e
|
@ -25,6 +25,7 @@ import kotlinx.coroutines.launch
|
|||
import okio.Okio
|
||||
import java.io.File
|
||||
import java.io.IOException
|
||||
import java.lang.IllegalArgumentException
|
||||
|
||||
|
||||
class ProfileFragment : BaseFragment<FragmentProfileBinding>() {
|
||||
|
@ -110,7 +111,12 @@ class ProfileFragment : BaseFragment<FragmentProfileBinding>() {
|
|||
private fun writeLogcat(): File? {
|
||||
try {
|
||||
val outputFile = File("${ZcashWalletApp.instance.filesDir}/logs", "developer_log.txt")
|
||||
val cmd = arrayOf("/bin/sh", "-c", "logcat -v time -d | grep \"@TWIG\" > ${outputFile.absolutePath}")
|
||||
if (!outputFile.parentFile.isFile) {
|
||||
// addresses security finding in issue #121
|
||||
throw IllegalArgumentException("Invalid path: ${outputFile.absolutePath}. Verify" +
|
||||
" that the default files directory is not being manipulated.")
|
||||
}
|
||||
val cmd = arrayOf("/bin/sh", "-c", "logcat -v time -d | grep \"@TWIG\" > \"${outputFile.absolutePath}\"")
|
||||
Runtime.getRuntime().exec(cmd)
|
||||
return outputFile
|
||||
} catch (e: IOException) {
|
||||
|
|
Loading…
Reference in New Issue