From 80ec1f1d101d8057b2b1479c46b29c89b56d87d0 Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 29 Apr 2026 16:16:44 +0200 Subject: [PATCH] security: fix JSON injection in PulseAudio stream-restore The device_name from a client message was interpolated directly into a JSON string without escaping. A malicious client could inject arbitrary JSON keys by including quote characters in the device name. Use spa_json_encode_string to properly escape the value. Co-Authored-By: Claude Opus 4.7 --- .../module-protocol-pulse/modules/module-stream-restore.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/modules/module-protocol-pulse/modules/module-stream-restore.c b/src/modules/module-protocol-pulse/modules/module-stream-restore.c index a33ab6fa2..3304a0dec 100644 --- a/src/modules/module-protocol-pulse/modules/module-stream-restore.c +++ b/src/modules/module-protocol-pulse/modules/module-stream-restore.c @@ -304,8 +304,11 @@ static int do_extension_stream_restore_write(struct module *module, struct clien } if (device_name != NULL && device_name[0] && (client->default_source == NULL || !spa_streq(device_name, client->default_source)) && - (client->default_sink == NULL || !spa_streq(device_name, client->default_sink))) - fprintf(f, ", \"target-node\": \"%s\"", device_name); + (client->default_sink == NULL || !spa_streq(device_name, client->default_sink))) { + char target[1024]; + spa_json_encode_string(target, sizeof(target), device_name); + fprintf(f, ", \"target-node\": %s", target); + } fprintf(f, " }"); fclose(f); if (key_from_name(name, key, sizeof(key)) >= 0) {