[SECURITY] Fix calc Shell Injection vulnerability
This commit is contained in:
parent
6d54165393
commit
f0dc43702a
2 changed files with 32 additions and 15 deletions
|
@ -53,7 +53,7 @@ async def _(msg: MessageSession):
|
|||
raise NoReportException('计算超时。')
|
||||
else:
|
||||
try:
|
||||
p = await asyncio.create_subprocess_shell(f'python "{os.path.abspath("./modules/calc/calc.py")}" "{msg.parsed_msg["<math_expression>"]}"',
|
||||
p = await asyncio.create_subprocess_exec('python', os.path.abspath("./modules/calc/calc.py"), msg.parsed_msg["<math_expression>"],
|
||||
stdout=asyncio.subprocess.PIPE,
|
||||
stderr=asyncio.subprocess.PIPE
|
||||
)
|
||||
|
@ -72,6 +72,6 @@ async def _(msg: MessageSession):
|
|||
await msg.finish(f'表达式无效:{res[7:]}')
|
||||
else:
|
||||
Logger.error(f'calc.py exited with code {p.returncode}')
|
||||
Logger.error(f'calc.py stderr: {stderr_data.decode("utf-8")}')
|
||||
Logger.error(f'calc.py stderr: {stderr_data.decode("gbk")}')
|
||||
except Exception as e:
|
||||
raise NoReportException(e)
|
||||
|
|
|
@ -8,6 +8,23 @@ import statistics
|
|||
import cmath
|
||||
import decimal
|
||||
import fractions
|
||||
import os
|
||||
|
||||
if os.name == 'posix':
|
||||
os.nice(15)
|
||||
import resource
|
||||
resource.setrlimit(resource.RLIMIT_AS,
|
||||
(16 * 1024 * 1024, 16 * 1024 * 1024))
|
||||
resource.setrlimit(resource.RLIMIT_DATA,
|
||||
(16 * 1024 * 1024, 16 * 1024 * 1024))
|
||||
resource.setrlimit(resource.RLIMIT_STACK,
|
||||
(16 * 1024 * 1024, 16 * 1024 * 1024))
|
||||
elif os.name == 'nt':
|
||||
import win32process
|
||||
win32process.SetPriorityClass(win32process.GetCurrentProcess(
|
||||
), 16384)
|
||||
win32process.SetProcessWorkingSetSize(
|
||||
win32process.GetCurrentProcess(), 1, 16 * 1024 * 1024)
|
||||
|
||||
funcs = {}
|
||||
named_funcs = {}
|
||||
|
|
Reference in a new issue