Merge pull request #181 from zcash/bugfix/possible-shell-injection
Fix: security finding in issue #121.
This commit is contained in:
commit
f9e085f661
|
@ -25,6 +25,7 @@ import kotlinx.coroutines.launch
|
|||
import okio.Okio
|
||||
import java.io.File
|
||||
import java.io.IOException
|
||||
import java.lang.IllegalArgumentException
|
||||
|
||||
|
||||
class ProfileFragment : BaseFragment<FragmentProfileBinding>() {
|
||||
|
@ -109,8 +110,14 @@ class ProfileFragment : BaseFragment<FragmentProfileBinding>() {
|
|||
|
||||
private fun writeLogcat(): File? {
|
||||
try {
|
||||
val outputFile = File("${ZcashWalletApp.instance.filesDir}/logs", "developer_log.txt")
|
||||
val cmd = arrayOf("/bin/sh", "-c", "logcat -v time -d | grep \"@TWIG\" > ${outputFile.absolutePath}")
|
||||
// Note: the /logs directory has been configured as a file provider under @xml/file_paths which allows the temporary sharing of this file
|
||||
val outputFile = File("${ZcashWalletApp.instance.filesDir}/logs", "developer_log.txt").also { it.parentFile.mkdirs() }
|
||||
if (!outputFile.parentFile.isDirectory) {
|
||||
// addresses security finding in issue #121
|
||||
throw IllegalArgumentException("Invalid path: ${outputFile.parentFile}. Verify" +
|
||||
" that the default files directory is not being manipulated.")
|
||||
}
|
||||
val cmd = arrayOf("/bin/sh", "-c", "logcat -v time -d | grep '@TWIG' > '${outputFile.absolutePath}'")
|
||||
Runtime.getRuntime().exec(cmd)
|
||||
return outputFile
|
||||
} catch (e: IOException) {
|
||||
|
|
Loading…
Reference in New Issue