PlaylistFile: disallow backslash in playlist names on Windows

The function spl_valid_name() should verify playlist names and prevent path traversal, but it failed to do so on Windows, because it forgot to check for backslashes. This buggy piece of code was already present when stored playlists were initially implemented in 2006 by commit 08003904d7, and even during the many rounds of code refactoring, nobody ever bothered to verify it. D'oh! (Thanks, Paul Arzelier)
2022-11-28 09:48:57 +01:00 · 2022-11-28 09:48:57 +01:00 · eaecbcafb2
parent 73b5d0a9b9
commit eaecbcafb2
2 changed files with 4 additions and 0 deletions
--- a/1
+++ b/1
@ -2,6 +2,7 @@ ver 0.23.11 (not yet released)
 * macOS: fix build failure "no archive members specified"
 * Windows
  - fix crash bug (stack buffer overflow) after I/O errors
+  - fix path traversal bug because backslash was allowed in playlist names
 * Android/Windows
  - update OpenSSL to 3.0.7

--- a/src/PlaylistFile.cxx
+++ b/src/PlaylistFile.cxx
@ -81,6 +81,9 @@ spl_valid_name(const char *name_utf8)
 	 */

 	return std::strchr(name_utf8, '/') == nullptr &&
+#ifdef _WIN32
+		std::strchr(name_utf8, '\\') == nullptr &&
+#endif
 		std::strchr(name_utf8, '\n') == nullptr &&
 		std::strchr(name_utf8, '\r') == nullptr;
 }