- stricter dbus string escaping (see bsc#913238)

diff --git a/dbus/DBusMessage.cc b/dbus/DBusMessage.cc
index da776e67f6059cb505b03ae700a00983bad34617..fab984f8810e7a8f86f28b46f2925457f7b06c9b 100644 (file)
--- a/dbus/DBusMessage.cc
+++ b/dbus/DBusMessage.cc
@@ -305,17 +305,13 @@ namespace DBus
                }
                else if (*it == 'x')
                {
-                   if (++it == in.end())
-                       throw MarshallingException();
-
                    string t1;
-
-                   if (!isxdigit(*it))
-                       throw MarshallingException();
-                   t1 += *it;
-
-                   if ((it + 1) != in.end() && isxdigit(*(it + 1)))
-                       t1 += *++it;
+                   for (int i = 0; i < 2; ++i)
+                   {
+                       if (++it == in.end() || !isxdigit(*it))
+                           throw MarshallingException();
+                       t1 += *it;
+                   }
 
                    unsigned int t2;
                    sscanf(t1.c_str(), "%x", &t2);
@@ -365,7 +361,7 @@ namespace DBus
            else if ((unsigned char)(*it) > 127)
            {
                char s[5];
-               snprintf(s, 5, "\\x%x", (unsigned char)(*it));
+               snprintf(s, 5, "\\x%02x", (unsigned char)(*it));
                out += string(s);
            }
            else

diff --git a/doc/dbus-protocol.txt b/doc/dbus-protocol.txt
index 6aa0b29d7fbd4bef761896d9d051ded1c176db29..dfbf41e6d90980fa0d0c636e64d7717071a0fd2b 100644 (file)
--- a/doc/dbus-protocol.txt
+++ b/doc/dbus-protocol.txt
@@ -55,7 +55,7 @@ method GetFiles config-name number1 number2 -> list(filename status)
 Filenames do not include the subvolume.
 
 Strings are UTF-8. Other characters (e.g. in filenames) must be encoded
-hexadecimal as "\x?" or "\x??". As a consequence "\" must be encoded as "\\".
+hexadecimal as "\x??". As a consequence "\" must be encoded as "\\".
 
 Due to security concerns there are no methods to get, compare or revert
 files. This can be done in the client.

diff --git a/package/snapper.changes b/package/snapper.changes
index 97fd7bcee79684f8fff08ecb4caefb0ce93e4b38..c23cef5d64e529573a4390e2906ac3c4fc678cb2 100644 (file)
--- a/package/snapper.changes
+++ b/package/snapper.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Jan 19 12:42:13 CET 2015 - aschnell@suse.de
+
+- stricter dbus string escaping (see bsc#913238)
+
 -------------------------------------------------------------------
 Mon Jan 12 12:19:30 CET 2015 - aschnell@suse.de