Security: don't pass a string to fgValidatePath then use the original

This is insecure because it always (not just on Windows) converts \ to / before .. checking. Either use the path it returns (as in f_open()) or use an SGPath (where this conversion is already done) Only a minor problem because the affected functions are limited to the .sav file type
2015-07-12 17:49:21 +01:00 · 2015-07-12 17:49:21 +01:00 · 1199d6d626
commit 1199d6d626
parent 14b97abd8f
1 changed files with 8 additions and 6 deletions
--- a/src/Main/fg_commands.cxx
+++ b/src/Main/fg_commands.cxx
@ -287,9 +287,10 @@ do_pause (const SGPropertyNode * arg)
 static bool
 do_load (const SGPropertyNode * arg)
 {
-    string file = arg->getStringValue("file", "fgfs.sav");
-    if (file.size() < 4 || file.substr(file.size() - 4) != ".sav")
-        file += ".sav";
+    SGPath file(arg->getStringValue("file", "fgfs.sav"));
+
+    if (file.extension() != "sav")
+        file.concat(".sav");

    if (fgValidatePath(file, false).empty()) {
        SG_LOG(SG_IO, SG_ALERT, "load: reading '" << file << "' denied "
@ -318,9 +319,10 @@ do_load (const SGPropertyNode * arg)
 static bool
 do_save (const SGPropertyNode * arg)
 {
-    string file = arg->getStringValue("file", "fgfs.sav");
-    if (file.size() < 4 || file.substr(file.size() - 4) != ".sav")
-        file += ".sav";
+    SGPath file(arg->getStringValue("file", "fgfs.sav"));
+
+    if (file.extension() != "sav")
+        file.concat(".sav");

    if (fgValidatePath(file, false).empty()) {
        SG_LOG(SG_IO, SG_ALERT, "save: writing '" << file << "' denied "