From 746dd91e860cacdfd67fc6585cd4c87bf97c1d53 Mon Sep 17 00:00:00 2001
From: nicm <nicm>
Date: Tue, 28 Apr 2026 08:52:37 +0000
Subject: [PATCH] Sanitize paste buffer names in paste_set and paste_rename,
 GitHub issue 5032 from Barrett Ruth.

---
 paste.c | 33 ++++++++++++++++++++++++++-------
 1 file changed, 26 insertions(+), 7 deletions(-)

diff --git a/paste.c b/paste.c
index 509e2aa3..0e19bcee 100644
--- a/paste.c
+++ b/paste.c
@@ -205,6 +205,7 @@ int
 paste_rename(const char *oldname, const char *newname, char **cause)
 {
 	struct paste_buffer	*pb, *pb_new;
+	char			*name;
 
 	if (cause != NULL)
 		*cause = NULL;
@@ -220,23 +221,33 @@ paste_rename(const char *oldname, const char *newname, char **cause)
 		return (-1);
 	}
 
+	name = clean_name(newname, "");
+	if (name == NULL) {
+		if (cause != NULL)
+			xasprintf(cause, "invalid buffer name: %s", newname);
+		return (-1);
+	}
+
 	pb = paste_get_name(oldname);
 	if (pb == NULL) {
 		if (cause != NULL)
 			xasprintf(cause, "no buffer %s", oldname);
+		free(name);
 		return (-1);
 	}
 
-	pb_new = paste_get_name(newname);
-	if (pb_new == pb)
+	pb_new = paste_get_name(name);
+	if (pb_new == pb) {
+		free(name);
 		return (0);
+	}
 	if (pb_new != NULL)
 		paste_free(pb_new);
 
 	RB_REMOVE(paste_name_tree, &paste_by_name, pb);
 
 	free(pb->name);
-	pb->name = xstrdup(newname);
+	pb->name = name;
 
 	if (pb->automatic)
 		paste_num_automatic--;
@@ -245,7 +256,7 @@ paste_rename(const char *oldname, const char *newname, char **cause)
 	RB_INSERT(paste_name_tree, &paste_by_name, pb);
 
 	notify_paste_buffer(oldname, 1);
-	notify_paste_buffer(newname, 0);
+	notify_paste_buffer(pb->name, 0);
 
 	return (0);
 }
@@ -258,6 +269,7 @@ int
 paste_set(char *data, size_t size, const char *name, char **cause)
 {
 	struct paste_buffer	*pb, *old;
+	char			*newname;
 
 	if (cause != NULL)
 		*cause = NULL;
@@ -277,9 +289,16 @@ paste_set(char *data, size_t size, const char *name, char **cause)
 		return (-1);
 	}
 
+	newname = clean_name(name, "");
+	if (newname == NULL) {
+		if (cause != NULL)
+			xasprintf(cause, "invalid buffer name: %s", name);
+		return (-1);
+	}
+
 	pb = xmalloc(sizeof *pb);
 
-	pb->name = xstrdup(name);
+	pb->name = newname;
 
 	pb->data = data;
 	pb->size = size;
@@ -289,13 +308,13 @@ paste_set(char *data, size_t size, const char *name, char **cause)
 
 	pb->created = time(NULL);
 
-	if ((old = paste_get_name(name)) != NULL)
+	if ((old = paste_get_name(pb->name)) != NULL)
 		paste_free(old);
 
 	RB_INSERT(paste_name_tree, &paste_by_name, pb);
 	RB_INSERT(paste_time_tree, &paste_by_time, pb);
 
-	notify_paste_buffer(name, 0);
+	notify_paste_buffer(pb->name, 0);
 
 	return (0);
 }