ExternalVendorCode/ZeroTierOne
1
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-04-07 19:24:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Another sanity check on filename for GitHub issue #72

Browse Source
This commit is contained in:
Adam Ierymenko 2014-05-19 16:16:34 +00:00
parent b958a2d30c
commit 596e5dd583
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
node/SoftwareUpdater.cpp
View File

@ -202,6 +202,11 @@ void SoftwareUpdater::_cbHandleGetLatestVersionBinary(void *arg,int code,const s
}
std::string updatesDir(_r->homePath + ZT_PATH_SEPARATOR_S + "updates.d");
std::string updateFilename(url.substr(lastSlash + 1));
if ((updateFilename.length() < 3)||(updateFilename.find("..") != std::string::npos)) {
LOG("software update failed: invalid URL: filename contains invalid characters");
upd->_status = UPDATE_STATUS_IDLE;
return;
}
for(std::string::iterator c(updateFilename.begin());c!=updateFilename.end();++c) {
// Only allow a list of whitelisted characters to make up the filename to prevent any
// path shenanigans, esp on Windows where / is not the path separator.