oysteikt
/
mpd
0
0
Fork 0
Code Issues Pull Requests Releases Activity

mapper: check for "." and ".." 

Make map_directory_child_fs() refuse the names "." and "..".  This is
currently the interface where an attacker may inject a manipulated
path (through the "update" command).
This commit is contained in:
Max Kellermann 2008-10-31 16:48:58 +01:00
parent a5f8d4386c
commit f291876772
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/mapper.c
View File

@ -100,6 +100,11 @@ map_directory_child_fs(const struct directory *directory, const char *name,
char buffer2[MPD_PATH_MAX]; char buffer2[MPD_PATH_MAX];
const char *parent_fs; const char *parent_fs;
/* check for invalid or unauthorized base names */
if (*name == 0 || strchr(name, '/') != NULL ||
strcmp(name, ".") == 0 || strcmp(name, "..") == 0)
return NULL;
parent_fs = map_directory_fs(directory, buffer2); parent_fs = map_directory_fs(directory, buffer2);
if (parent_fs == NULL) if (parent_fs == NULL)
return NULL; return NULL;