Prevent shell injection when converting INO file to CPP // Resolve #4532

2023-01-27 21:06:13 +02:00
parent 0d57a799b5
commit 15d53c95c0
2 changed files with 6 additions and 1 deletions
--- a/HISTORY.rst
+++ b/HISTORY.rst
@ -14,6 +14,11 @@ PlatformIO Core 6

 **A professional collaborative platform for declarative, safety-critical, and test-driven embedded development.**

+6.1.7 (2023-??-??)
+~~~~~~~~~~~~~~~~~~
+
+* Prevented shell injection when converting INO file to CPP (`issue #4532 <https://github.com/platformio/platformio-core/issues/4532>`_)
+
 6.1.6 (2023-01-23)
 ~~~~~~~~~~~~~~~~~~

--- a/platformio/builder/tools/pioino.py
+++ b/platformio/builder/tools/pioino.py
@ -103,7 +103,7 @@ class InoToCPPConverter:
        return "\n".join(["#include <Arduino.h>"] + lines) if lines else None

    def process(self, contents):
-        out_file = self._main_ino + ".cpp"
+        out_file = re.sub(r"[\"\'\;]+", "", self._main_ino, flags=re.I) + ".cpp"
        assert self._gcc_preprocess(contents, out_file)
        contents = self.read_safe_contents(out_file)
        contents = self._join_multiline_strings(contents)