feedc0de/platformio-core
1
0
Fork 0
forked from platformio/platformio-core
Code Pull Requests Activity

Prevent shell injection when converting INO file to CPP // Resolve #4532

Browse Source
This commit is contained in:
Ivan Kravets
2023-01-27 21:06:13 +02:00
parent 0d57a799b5
commit 15d53c95c0
2 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
HISTORY.rst
View File

@@ -14,6 +14,11 @@ PlatformIO Core 6
**A professional collaborative platform for declarative, safety-critical, and test-driven embedded development.** **A professional collaborative platform for declarative, safety-critical, and test-driven embedded development.**
6.1.7 (2023-??-??)
~~~~~~~~~~~~~~~~~~
* Prevented shell injection when converting INO file to CPP (`issue #4532 <https://github.com/platformio/platformio-core/issues/4532>`_)
6.1.6 (2023-01-23) 6.1.6 (2023-01-23)
~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~

2
platformio/builder/tools/pioino.py
View File

@@ -103,7 +103,7 @@ class InoToCPPConverter:
return "\n".join(["#include <Arduino.h>"] + lines) if lines else None return "\n".join(["#include <Arduino.h>"] + lines) if lines else None
def process(self, contents): def process(self, contents):
out_file = self._main_ino + ".cpp" out_file = re.sub(r"[\"\'\;]+", "", self._main_ino, flags=re.I) + ".cpp"
assert self._gcc_preprocess(contents, out_file) assert self._gcc_preprocess(contents, out_file)
contents = self.read_safe_contents(out_file) contents = self.read_safe_contents(out_file)
contents = self._join_multiline_strings(contents) contents = self._join_multiline_strings(contents)