mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-04 06:46:24 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: fix JSON injection in PulseAudio stream-restore

Browse source 
The device_name from a client message was interpolated directly into
a JSON string without escaping. A malicious client could inject
arbitrary JSON keys by including quote characters in the device name.
Use spa_json_encode_string to properly escape the value.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-29 16:16:44 +02:00
parent a2de6c886e
commit 80ec1f1d10
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/modules/module-protocol-pulse/modules/module-stream-restore.c
View file

@ -304,8 +304,11 @@ static int do_extension_stream_restore_write(struct module *module, struct clien
} }
if (device_name != NULL && device_name[0] && if (device_name != NULL && device_name[0] &&
(client->default_source == NULL || !spa_streq(device_name, client->default_source)) && (client->default_source == NULL || !spa_streq(device_name, client->default_source)) &&
(client->default_sink == NULL || !spa_streq(device_name, client->default_sink))) (client->default_sink == NULL || !spa_streq(device_name, client->default_sink))) {
fprintf(f, ", \"target-node\": \"%s\"", device_name); char target[1024];
spa_json_encode_string(target, sizeof(target), device_name);
fprintf(f, ", \"target-node\": %s", target);
}
fprintf(f, " }"); fprintf(f, " }");
fclose(f); fclose(f);
if (key_from_name(name, key, sizeof(key)) >= 0) { if (key_from_name(name, key, sizeof(key)) >= 0) {