void/ZeroTierOne
2
0
Fork 0
mirror of https://github.com/zerotier/ZeroTierOne.git synced 2025-06-06 20:43:44 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Another sanity check on filename for GitHub issue #72

Browse source
This commit is contained in:
Adam Ierymenko 2014-05-19 16:16:34 +00:00
parent b958a2d30c
commit 596e5dd583
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
node/SoftwareUpdater.cpp
View file

@ -202,6 +202,11 @@ void SoftwareUpdater::_cbHandleGetLatestVersionBinary(void *arg,int code,const s
} }
std::string updatesDir(_r->homePath + ZT_PATH_SEPARATOR_S + "updates.d"); std::string updatesDir(_r->homePath + ZT_PATH_SEPARATOR_S + "updates.d");
std::string updateFilename(url.substr(lastSlash + 1)); std::string updateFilename(url.substr(lastSlash + 1));
if ((updateFilename.length() < 3)||(updateFilename.find("..") != std::string::npos)) {
LOG("software update failed: invalid URL: filename contains invalid characters");
upd->_status = UPDATE_STATUS_IDLE;
return;
}
for(std::string::iterator c(updateFilename.begin());c!=updateFilename.end();++c) { for(std::string::iterator c(updateFilename.begin());c!=updateFilename.end();++c) {
// Only allow a list of whitelisted characters to make up the filename to prevent any // Only allow a list of whitelisted characters to make up the filename to prevent any
// path shenanigans, esp on Windows where / is not the path separator. // path shenanigans, esp on Windows where / is not the path separator.