OpenURL() - Added small security check

2025-09-17 00:38:14 +00:00 · 2018-11-12 14:59:31 +01:00
parent d2f4cc1142
commit 618f220851
1 changed files with 31 additions and 11 deletions
--- a/src/core.c
+++ b/src/core.c
@@ -1820,14 +1820,32 @@ int StorageLoadValue(int position)
 }

 // Open URL with default system browser (if available)
-// Note:
-// This function is onlyl safe to use if you control the URL given.
+// NOTE: This function is onlyl safe to use if you control the URL given.
 // A user could craft a malicious string performing another action.
-// Only call this function yourself not with user input or make sure to check the
-// string yourself.
-// See https://github.com/raysan5/raylib/issues/686
+// Only call this function yourself not with user input or make sure to check the string yourself.
+// CHECK: https://github.com/raysan5/raylib/issues/686
 void OpenURL(const char *url)
 {
+    // Small security check trying to avoid (partially) malicious code... 
+    // sorry for the inconvenience when you hit this point...
+    bool validUrl = true;
+    int len = strlen(url);
+    
+    for (int i = 0; i < len; i++) 
+    {
+        if ((url[i] == ';') || 
+            (url[i] == '?') || 
+            (url[i] == ':') || 
+            (url[i] == '=') || 
+            (url[i] == '&')) 
+        {
+            validUrl = false;
+            break;
+        }
+    }
+    
+    if (validUrl)
+    {
        char *cmd = calloc(strlen(url) + 10, sizeof(char));

 #if defined(_WIN32)
@@ -1840,6 +1858,8 @@ void OpenURL(const char *url)
        system(cmd);
    
        free(cmd);
+    }
+    else TraceLog(LOG_WARNING, "Provided URL does not seem to be valid.");
 }

 //----------------------------------------------------------------------------------