fly/flightgear
1
0
Fork 0
Code Activity

Security: don't pass a string to fgValidatePath then use the original

Browse source 
This is insecure because it always (not just on Windows) converts
\ to / before .. checking.  Either use the path it returns (as in
f_open()) or use an SGPath (where this conversion is already done)

Only a minor problem because the affected functions are limited to
the .sav file type
This commit is contained in:
Rebecca N. Palmer 2015-07-12 17:49:21 +01:00
parent 14b97abd8f
commit 1199d6d626
1 changed files with 8 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/Main/fg_commands.cxx
View file

@ -287,9 +287,10 @@ do_pause (const SGPropertyNode * arg)
static bool static bool
do_load (const SGPropertyNode * arg) do_load (const SGPropertyNode * arg)
{ {
string file = arg->getStringValue("file", "fgfs.sav"); SGPath file(arg->getStringValue("file", "fgfs.sav"));
if (file.size() < 4 || file.substr(file.size() - 4) != ".sav")
file += ".sav"; if (file.extension() != "sav")
file.concat(".sav");
if (fgValidatePath(file, false).empty()) { if (fgValidatePath(file, false).empty()) {
SG_LOG(SG_IO, SG_ALERT, "load: reading '" << file << "' denied " SG_LOG(SG_IO, SG_ALERT, "load: reading '" << file << "' denied "
@ -318,9 +319,10 @@ do_load (const SGPropertyNode * arg)
static bool static bool
do_save (const SGPropertyNode * arg) do_save (const SGPropertyNode * arg)
{ {
string file = arg->getStringValue("file", "fgfs.sav"); SGPath file(arg->getStringValue("file", "fgfs.sav"));
if (file.size() < 4 || file.substr(file.size() - 4) != ".sav")
file += ".sav"; if (file.extension() != "sav")
file.concat(".sav");
if (fgValidatePath(file, false).empty()) { if (fgValidatePath(file, false).empty()) {
SG_LOG(SG_IO, SG_ALERT, "save: writing '" << file << "' denied " SG_LOG(SG_IO, SG_ALERT, "save: writing '" << file << "' denied "