mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-03 06:47:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

security: reject path traversal in echo-cancel aec_method parameter

Browse source 
The aec_method parameter is interpolated into a SPA library path
as "aec/libspa-aec-%s". A client could use "../" sequences to
load arbitrary SPA plugins. Reject values containing ".." or "/".

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Wim Taymans 2026-04-30 17:44:28 +02:00
parent 5d0e806bdb
commit c551408ec2
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/modules/module-protocol-pulse/modules/module-echo-cancel.c
View file

@ -275,6 +275,10 @@ static int module_echo_cancel_prepare(struct module * const module)
if ((str = pw_properties_get(props, "aec_method")) == NULL)
str = "webrtc";
if (strstr(str, "..") != NULL || strchr(str, '/') != NULL) {
res = -EINVAL;
goto out;
}
pw_properties_setf(global_props, "library.name", "aec/libspa-aec-%s", str);
if ((str = pw_properties_get(props, "source_name")) != NULL) {