browser-android: Use more robust mechanism for starting browser

Use os_exec() to run the external browser to avoid undesired command
line processing for control interface event strings. Previously, it
could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

diff --git a/src/utils/browser-android.c b/src/utils/browser-android.c
index a06639254e1c89787b7516da58df79775b787ded..d5ff5b5c3ceca2387a3f59d0630ef2189fe8ade7 100644 (file)
--- a/src/utils/browser-android.c
+++ b/src/utils/browser-android.c
@@ -75,7 +75,7 @@ int hs20_web_browser(const char *url)
        os_memset(&data, 0, sizeof(data));
 
        ret = os_snprintf(cmd, sizeof(cmd),
-                         "am start -a android.intent.action.VIEW -d '%s' "
+                         "start -a android.intent.action.VIEW -d %s "
                          "-n com.android.browser/.BrowserActivity", url);
        if (ret < 0 || (size_t) ret >= sizeof(cmd)) {
                wpa_printf(MSG_ERROR, "Too long URL");
@@ -94,7 +94,7 @@ int hs20_web_browser(const char *url)
                return -1;
        }
 
-       if (system(cmd) != 0) {
+       if (os_exec("/system/bin/am", cmd, 1) != 0) {
                wpa_printf(MSG_INFO, "Failed to launch Android browser");
                eloop_cancel_timeout(browser_timeout, NULL, NULL);
                http_server_deinit(http);
@@ -109,7 +109,7 @@ int hs20_web_browser(const char *url)
        eloop_destroy();
 
        wpa_printf(MSG_INFO, "Closing Android browser");
-       if (system("input keyevent 3") != 0) {
+       if (os_exec("/system/bin/input", "keyevent 3", 1) != 0) {
                wpa_printf(MSG_INFO, "Failed to inject keyevent");
        }