Escape problematic characters in CREDITS files

cmb69 · cmb69 · commit 8aa7e203edf1 · 2022-06-20T16:02:49.000+02:00
On Windows, the contents of the CREDITS files are passed to rc.exe via the command line. To avoid undesired behavior, we need to escape some characters, most notably `<` (which is sometimes used in CREDITS to enclose mail addresses), which otherwise is interpreted as redirection operator, resulting in the hard to understand "The system cannot find the file specified." Even more dangerous is not properly escaping percent signs, which makes it possible for a malicious CREDITS file to inject the values of environment variables of the build system into the generated binaries. This is particularly bad, because as of Windows Vista, the comments can no longer be inspected via explorer.exe, although the binaries still contain these comments. We also cater to double-quotes, which need to be escaped as `\"\"` in this context. Closes GH-8767.
diff --git a/win32/build/confutils.js b/win32/build/confutils.js
@@ -1093,7 +1093,7 @@ function generate_version_info_resource(makefiletarget, basename, creditspath, s
 		if (thanks == null) {
 			thanks = "";
 		} else {
-			thanks = "Thanks to " + thanks;
+			thanks = "Thanks to " + thanks.replace(/([<>&|%])/g, "^$1").replace(/"/g, '\\"\\"');
 		}
 		credits.Close();
 	}

Original file line number	Diff line number	Diff line change
`@@ -1093,7 +1093,7 @@ function generate_version_info_resource(makefiletarget, basename, creditspath, s`
`1093`	`1093`	`if (thanks == null) {`
`1094`	`1094`	`thanks = "";`
`1095`	`1095`	`} else {`
`1096`		`- thanks = "Thanks to " + thanks;`
	`1096`	`+ thanks = "Thanks to " + thanks.replace(/([<>&\|%])/g, "^$1").replace(/"/g, '\\"\\"');`
`1097`	`1097`	`}`
`1098`	`1098`	`credits.Close();`
`1099`	`1099`	`}`