mirror of
https://github.com/mvt-project/mvt.git
synced 2026-03-19 09:03:28 +00:00
33e90c1707
Inb2afce5c79, the db filename is wrapped in double-quotes when passing it to the sqlite3 tool's `.clone` helper command. For parsing safety, we avoid performing this cleanup if the filename itself has a double-quote character in it. Otherwise, a malformed filename could lead to arbitrary injection into the sqlite3 command. Inbe24680046, the sqlite3 wrapping changes to single-quotes. Either the safety check should be amended to block pathnames with single-quotes, or the sqlite3 wrapping should revert to double-quotes. I opted for the latter here because i think single-quotes are more likely than double-quotes to show up in pathnames (e.g. a folder named "Daniel's files"), but either change would be fine, of course.