security: fix JSON injection in native-protocol-tcp address

The listen address was inserted into JSON without escaping. Build the address string first, then encode it with spa_json_encode_string to prevent injection of arbitrary JSON keys. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-02 06:46:36 -04:00 · 2026-04-29 17:52:19 +02:00 · 2026-04-29 17:52:19 +02:00 · 1b8962d7c2
commit 1b8962d7c2
parent c5c2d197dc
1 changed files with 7 additions and 2 deletions
--- a/src/modules/module-protocol-pulse/modules/module-native-protocol-tcp.c
+++ b/src/modules/module-protocol-pulse/modules/module-native-protocol-tcp.c
@ -2,6 +2,7 @@
 /* SPDX-FileCopyrightText: Copyright © 2021 Wim Taymans <wim.taymans@gmail.com> */
 /* SPDX-License-Identifier: MIT */

+#include <spa/utils/json.h>
 #include <pipewire/pipewire.h>

 #include "../module.h"
@ -78,6 +79,7 @@ static int module_native_protocol_tcp_prepare(struct module * const module)
 	struct module_native_protocol_tcp_data * const d = module->user_data;
 	struct pw_properties * const props = module->props;
 	const char *port, *listen, *auth;
+	char address[1024], encoded[1024];
 	FILE *f;
 	char *args;
 	size_t size;
@ -95,9 +97,12 @@ static int module_native_protocol_tcp_prepare(struct module * const module)
 	if (f == NULL)
 		return -errno;

+	snprintf(address, sizeof(address), "tcp:%s%s%s",
+			listen ? listen : "", listen ? ":" : "", port);
+	spa_json_encode_string(encoded, sizeof(encoded), address);
+
 	fprintf(f, "[ { ");
-	fprintf(f, " \"address\": \"tcp:%s%s%s\" ",
-			   listen ? listen : "", listen ? ":" : "", port);
+	fprintf(f, " \"address\": %s ", encoded);
 	if (auth && module_args_parse_bool(auth))
 		fprintf(f, " \"client.access\": \"unrestricted\" ");
 	fprintf(f, "} ]");