From b2174f462d8da243b8ae7ea0955f614907a3bda7 Mon Sep 17 00:00:00 2001
From: Matt Ranostay <matt.ranostay@konsulko.com>
Date: Wed, 3 Apr 2019 16:07:22 -0700
Subject: binding: mediascanner: escape file uri paths

To avoid prevent passing of non-input validated data to the
agl-service-mediaplayer service the filename paths should be
escaped.

Change-Id: I7d0e9ddf26d02be5fcf127d810d84c3537ddbbce
Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
---
 README.md               | 2 +-
 binding/media-manager.c | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 05b6cb2..b4fada9 100644
--- a/README.md
+++ b/README.md
@@ -21,7 +21,7 @@ with the following fields.
 | Name        | Description                                 |
 |:------------|---------------------------------------------|
 | duration    | length of track in milliseconds             |
-| path        | path to media on filesystem                 |
+| path        | uri escaped path to media on filesystem     |
 | title       | title for media entey                       |
 | album       | album name for media entry                  |
 | artist      | artist name for media entry                 |
diff --git a/binding/media-manager.c b/binding/media-manager.c
index 9761924..f15d79e 100644
--- a/binding/media-manager.c
+++ b/binding/media-manager.c
@@ -131,13 +131,17 @@ GList* media_lightmediascanner_scan(GList *list, gchar *uri, int scan_type)
         struct stat buf;
         struct Media_Item *item;
         const char *path = (const char *) sqlite3_column_text(res, 0);
+        gchar *tmp;
 
         ret = stat(path, &buf);
         if (ret)
             continue;
 
         item = g_malloc0(sizeof(*item));
-        item->path = g_strdup_printf("file://%s", path);
+        tmp = g_uri_escape_string(path, "/", TRUE);
+        item->path = g_strdup_printf("file://%s", tmp);
+        g_free(tmp);
+
         item->type = scan_type;
         item->metadata.title = g_strdup((gchar *) sqlite3_column_text(res, 1));
         item->metadata.artist = g_strdup((gchar *) sqlite3_column_text(res, 2));
-- 
cgit 1.2.3-korg