From: Arvin Schnell <aschnell@suse.de>
Date: Mon, 19 Jan 2015 11:45:10 +0000 (+0100)
Subject: - stricter dbus string escaping (see bsc#913238)
X-Git-Tag: v0.2.5^2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=379e3af1303fa15fb9d3d6b1fc4eabb311c427c9;p=thirdparty%2Fsnapper.git

- stricter dbus string escaping (see bsc#913238)
---

diff --git a/dbus/DBusMessage.cc b/dbus/DBusMessage.cc
index da776e67..fab984f8 100644
--- a/dbus/DBusMessage.cc
+++ b/dbus/DBusMessage.cc
@@ -305,17 +305,13 @@ namespace DBus
 		}
 		else if (*it == 'x')
 		{
-		    if (++it == in.end())
-			throw MarshallingException();
-
 		    string t1;
-
-		    if (!isxdigit(*it))
-			throw MarshallingException();
-		    t1 += *it;
-
-		    if ((it + 1) != in.end() && isxdigit(*(it + 1)))
-			t1 += *++it;
+		    for (int i = 0; i < 2; ++i)
+		    {
+			if (++it == in.end() || !isxdigit(*it))
+			    throw MarshallingException();
+			t1 += *it;
+		    }
 
 		    unsigned int t2;
 		    sscanf(t1.c_str(), "%x", &t2);
@@ -365,7 +361,7 @@ namespace DBus
 	    else if ((unsigned char)(*it) > 127)
 	    {
 		char s[5];
-		snprintf(s, 5, "\\x%x", (unsigned char)(*it));
+		snprintf(s, 5, "\\x%02x", (unsigned char)(*it));
 		out += string(s);
 	    }
 	    else
diff --git a/doc/dbus-protocol.txt b/doc/dbus-protocol.txt
index 6aa0b29d..dfbf41e6 100644
--- a/doc/dbus-protocol.txt
+++ b/doc/dbus-protocol.txt
@@ -55,7 +55,7 @@ method GetFiles config-name number1 number2 -> list(filename status)
 Filenames do not include the subvolume.
 
 Strings are UTF-8. Other characters (e.g. in filenames) must be encoded
-hexadecimal as "\x?" or "\x??". As a consequence "\" must be encoded as "\\".
+hexadecimal as "\x??". As a consequence "\" must be encoded as "\\".
 
 Due to security concerns there are no methods to get, compare or revert
 files. This can be done in the client.
diff --git a/package/snapper.changes b/package/snapper.changes
index 97fd7bce..c23cef5d 100644
--- a/package/snapper.changes
+++ b/package/snapper.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Jan 19 12:42:13 CET 2015 - aschnell@suse.de
+
+- stricter dbus string escaping (see bsc#913238)
+
 -------------------------------------------------------------------
 Mon Jan 12 12:19:30 CET 2015 - aschnell@suse.de