From 314e93b4cb943125cb5d477df8887706aaedce54 Mon Sep 17 00:00:00 2001
From: "dylan.araps@gmail.com" <dylan.araps@gmail.com>
Date: Tue, 1 Oct 2019 19:34:34 +0000
Subject: kiss: sanitize user input when needed

FossilOrigin-Name: 92f8cf9a72b3b512d1d68a418bb2d6eecbca62287a344dae0d746ebd50eacd11
---
 kiss | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'kiss')

diff --git a/kiss b/kiss
index 5cd8cb4..c84baac 100755
--- a/kiss
+++ b/kiss
@@ -845,6 +845,17 @@ args() {
     # arguments despite trapping the error ('|| :').
     shift "$(($# > 0 ? 1 : 0))"
 
+    # Unless this is a search, sanitize the user's input. The call to
+    # 'pkg_find()' supports basic globbing, ensure input doesn't expand
+    # to anything except for when this behavior is needed.
+    [ "$action" != search ] && [ "$action" != s ] &&
+        case $* in
+            *[!a-zA-Z0-9_-]*)
+                log kiss "$action $*"
+                die "Arguments contain invalid characters"
+            ;;
+        esac
+
     # Parse some arguments earlier to remove the need to duplicate code.
     case $action in
         c|checksum|s|search)
-- 
cgit v1.2.3