-void ExecWrapper::start(const BufferInfo &info, const QString &scriptName, const QStringList& params) {
- _bufferInfo = info;
- _scriptName = scriptName;
- foreach(QString scriptDir, Quassel::scriptDirPaths()) {
- QString fileName = scriptDir + '/' + scriptName;
- if(!QFile::exists(fileName))
- continue;
- _process.start(fileName, params);
- return;
- }
- emit stderr(tr("Could not find script \"%1\"").arg(scriptName));
- deleteLater();
+
+void ExecWrapper::start(const BufferInfo &info, const QString &command)
+{
+ _bufferInfo = info;
+ QString params;
+
+ QRegExp rx("^\\s*(\\S+)(\\s+(.*))?$");
+ if (!rx.exactMatch(command)) {
+ emit error(tr("Invalid command string for /exec: %1").arg(command));
+ }
+ else {
+ _scriptName = rx.cap(1);
+ params = rx.cap(3);
+ }
+
+ // Make sure we don't execute something outside a script dir
+ if (_scriptName.contains("../") || _scriptName.contains("..\\"))
+ emit error(tr("Name \"%1\" is invalid: ../ or ..\\ are not allowed!").arg(_scriptName));
+
+ else {
+ foreach(QString scriptDir, Quassel::scriptDirPaths()) {
+ QString fileName = scriptDir + _scriptName;
+ if (!QFile::exists(fileName))
+ continue;
+ _process.setWorkingDirectory(scriptDir);
+ _process.start('"' + fileName + "\" " + params);
+ return;
+ }
+ emit error(tr("Could not find script \"%1\"").arg(_scriptName));
+ }
+
+ deleteLater(); // self-destruct