projects
/
citadel.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
fe4ad63
)
File-Handling: sanitize filenames.
author
Wilfried Goesgens
<dothebart@citadel.org>
Mon, 25 Feb 2013 19:48:08 +0000
(20:48 +0100)
committer
Wilfried Goesgens
<dothebart@citadel.org>
Mon, 25 Feb 2013 19:48:08 +0000
(20:48 +0100)
citadel/file_ops.c
patch
|
blob
|
history
diff --git
a/citadel/file_ops.c
b/citadel/file_ops.c
index b52915e70ae0da62f4ca41e07d4b1a7f9dac9a29..5547c005e0a374c20df9be7a32753111a88c0282 100644
(file)
--- a/
citadel/file_ops.c
+++ b/
citadel/file_ops.c
@@
-203,6
+203,12
@@
void cmd_open(char *cmdbuf)
ERROR + FILE_NOT_FOUND);
return;
}
ERROR + FILE_NOT_FOUND);
return;
}
+ if (strstr(filename, "../") != NULL)
+ {
+ cprintf("%d syntax error.\n",
+ ERROR + ILLEGAL_VALUE);
+ return;
+ }
if (CC->download_fp != NULL) {
cprintf("%d You already have a download file open.\n",
if (CC->download_fp != NULL) {
cprintf("%d You already have a download file open.\n",
@@
-284,6
+290,13
@@
void cmd_oimg(char *cmdbuf)
filename[a] = '_';
}
}
filename[a] = '_';
}
}
+ if (strstr(filename, "../") != NULL)
+ {
+ cprintf("%d syntax error.\n",
+ ERROR + ILLEGAL_VALUE);
+ return;
+ }
+
snprintf(pathname, sizeof pathname,
"%s/%s",
ctdl_image_dir,
snprintf(pathname, sizeof pathname,
"%s/%s",
ctdl_image_dir,