From ba505e86c9c9a98cc7fe0790da30b0a4a7fccf0e Mon Sep 17 00:00:00 2001
From: Thomas Schmitt <scdbackup@gmx.net>
Date: Sat, 7 Dec 2019 15:35:41 +0100
Subject: [PATCH] Imposing stricter checks on option parameters

---
 xorriso-dd-target/xorriso-dd-target | 47 +++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 13 deletions(-)

diff --git a/xorriso-dd-target/xorriso-dd-target b/xorriso-dd-target/xorriso-dd-target
index ceeaf2f8..0410baad 100755
--- a/xorriso-dd-target/xorriso-dd-target
+++ b/xorriso-dd-target/xorriso-dd-target
@@ -131,6 +131,31 @@ round_down_div_million() {
     -e 's/[Tt]$/000000/' 
 }
 
+## Check for harmless name or number in program argument
+check_parameter() {
+ if test "$2" = "device_name"
+ then
+   if echo "$1" | grep '[^A-za-z0-9_/-]' >/dev/null
+   then
+     echo "SORRY: Given device name contains unexpected character. Ok: [A-za-z0-9_/-]" >&2
+     exit 12
+   fi
+ elif test "$2" = "image_file"
+ then
+   if echo "$1" | grep '[$`[*?<>|&!{\]' >/dev/null
+   then
+     echo "SORRY: Given image file name contains unexpected character. Not ok: "'[$`[*?<>|&!{\]' >&2
+     exit 15
+   fi
+ else
+   if echo "$1" | grep -v '^[0-9][0-9]*[0-9MGTmgt]$' >/dev/null
+   then
+     echo "SORRY: Number for $2 too short or bad character. Ok: [0-9][0-9MGTmgt]" >&2
+     exit 14
+   fi
+ fi
+}
+
 ### Assessing arguments and setting up the job
 
 # Settings
@@ -163,15 +188,18 @@ arg_interpreter() {
     # The next_is option parameter readers get programmed by the -options
     if test "$next_is" = "max_size"
     then
+      check_parameter "$i" -max_size
       max_size="$(echo "$i" | round_down_div_million)"
       next_is=
     elif test "$next_is" = "min_size"
     then
+      check_parameter "$i" -min_size
       min_size="$(echo "$i" | round_down_div_million)"
       min_size="$(expr $min_size + 1)"
       next_is=
     elif test "$next_is" = "image_file"
     then
+      check_parameter "$i" image_file
       image_file="$i"
       min_size="$(stat -c '%s' "$i" | round_down_div_million)"
       if test -z "$min_size"
@@ -231,20 +259,14 @@ arg_interpreter() {
       exit 0
     elif echo "$i" | grep -v '^-' >/dev/null
     then
-      num=$(echo "$i" | wc -w)
-      if test "$num" = 1
-      then
-        devs_named=y
-        devs="$devs $i"
-        show_reasons=y
-      else
-        echo "$0 : Given device name is not a single word: '$i'" >&2
-        exit 12
-      fi
+      check_parameter "$i" device_name
+      devs_named=y
+      devs="$devs $i"
+      show_reasons=y
     else
-      echo "$0 : Unknown option: $i" >&2
+      echo "$0 : Unknown option: '$i'" >&2
       echo >&2
-      print_usage >&2
+      echo "For a help text run: $0 -help" >&2
       exit 1
     fi
   done
@@ -426,7 +448,6 @@ list_devices() {
       transports="mmcblk"
     elif echo "$name" | grep -F "/" >/dev/null
     then
-      echo "NOTE: The device name must not contain '/' characters" >&2 
       transports=not_an_expected_name
       reasons="${reasons}name_with_slash- "
     else