[http] analyze arguments of cmd.json

linev · linev · commit d9aca6d64f67 · 2026-05-21T07:58:02.000+02:00
While here arbitrary string injected into ProcessLine,
ensure that only numeric argument is not quoted.
All other arguments kinds will be quoted and prevent execution of potentially dangerous code
diff --git a/net/http/src/TRootSniffer.cxx b/net/http/src/TRootSniffer.cxx
@@ -33,6 +33,7 @@
 #include <memory>
 #include <vector>
 #include <string.h>
+#include <ctype.h>
 
 const char *item_prop_kind = "_kind";
 const char *item_prop_more = "_more";
@@ -1209,9 +1210,41 @@ Bool_t TRootSniffer::ExecuteCmd(const std::string &path, const std::string &opti
             return kTRUE;
          }
 
-         TString svalue = DecodeUrlOptionValue(argvalue, kTRUE);
          argname = TString("%") + argname + TString("%");
-         method.ReplaceAll(argname, svalue);
+         auto p = method.Index(argname);
+         if (p == kNPOS)
+            continue;
+
+         method.Remove(p, argname.Length());
+
+         if ((p > 0) && (p < method.Length()) && (method.Length() > 1) && (method[p-1] == '"') && (method[p] == '"')) {
+            // command definition has quotes around argument
+            // one can insert value from URL removing quotes
+            method.Insert(p, DecodeUrlOptionValue(argvalue, kTRUE));
+            continue;
+         }
+
+         // extract argument without removing quotes
+         TString svalue = DecodeUrlOptionValue(argvalue, kFALSE);
+
+         if ((svalue.Length() > 1) && (svalue[0] == '"') && (svalue[svalue.Length() - 1] == '"')) {
+            // if value itself has quotes, all special symbols already escaped and one can insert it as is
+            method.Insert(p, svalue);
+            continue;
+         }
+
+         Bool_t is_numeric = kTRUE;
+         // expect decimal, hex or float values here, E/e also belong to hex
+         for(Size_t i = 0; is_numeric && (i < svalue.Length()); ++i)
+            is_numeric = std::isxdigit(svalue[i]) || std::strchr(".+-", svalue[i]);
+
+         // always quote content which not numeric
+         if (!is_numeric)
+            svalue = "\"" + svalue + "\"";
+         else if (svalue.IsNull())
+            svalue = "0";
+
+         method.Insert(p, svalue);
       }
    }
 
