mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix JSON injection in PulseAudio do_set_default

Browse source 
The device name was interpolated into a JSON metadata string without
escaping. A node with crafted name containing quote characters could
inject arbitrary JSON keys into the default sink/source metadata.
Use spa_json_encode_string to properly escape the value.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 17:09:50 +02:00
parent d3e1be8b6e
commit 2d8dc8b457
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-protocol-pulse/pulse-server.c
View file

@ -4802,10 +4802,12 @@ static int do_set_default(struct client *client, uint32_t command, uint32_t tag,
else if (spa_strendswith(name, ".monitor")) else if (spa_strendswith(name, ".monitor"))
name = strndupa(name, strlen(name)-8); name = strndupa(name, strlen(name)-8);
char val[1024];
spa_json_encode_string(val, sizeof(val), name);
res = pw_manager_set_metadata(manager, client->metadata_default, res = pw_manager_set_metadata(manager, client->metadata_default,
PW_ID_CORE, PW_ID_CORE,
sink ? METADATA_CONFIG_DEFAULT_SINK : METADATA_CONFIG_DEFAULT_SOURCE, sink ? METADATA_CONFIG_DEFAULT_SINK : METADATA_CONFIG_DEFAULT_SOURCE,
"Spa:String:JSON", "{ \"name\": \"%s\" }", name); "Spa:String:JSON", "{ \"name\": %s }", val);
} else { } else {
res = pw_manager_set_metadata(manager, client->metadata_default, res = pw_manager_set_metadata(manager, client->metadata_default,
PW_ID_CORE, PW_ID_CORE,