Protect against malicious servers sending requests with "..". Fixes RH

bug 676252. Credits to Noam Rathaus <noamr@beyondsecurity.com> for finding this bug. git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1626 423420c4-83ab-492f-b58f-81f9feb106b5
2011-04-18 11:25:26 +00:00 · 2011-04-18 11:25:26 +00:00 · 3819f8b56d
commit 3819f8b56d
parent 8939c3b04a
1 changed files with 13 additions and 0 deletions
--- a/disk.c
+++ b/disk.c
@ -356,6 +356,19 @@ disk_create(uint32 device_id, uint32 accessmask, uint32 sharemode, uint32 create
 		filename[strlen(filename) - 1] = 0;
 	sprintf(path, "%s%s", g_rdpdr_device[device_id].local_path, filename);

+	/* Protect against mailicous servers:
+	   somelongpath/..     not allowed
+	   somelongpath/../b   not allowed
+	   somelongpath/..b    in principle ok, but currently not allowed
+	   somelongpath/b..    ok
+	   somelongpath/b..b   ok
+	   somelongpath/b../c  ok
+	 */
+	if (strstr(path, "/.."))
+	{
+		return RD_STATUS_ACCESS_DENIED;
+	}
+
 	switch (create_disposition)
 	{
 		case CREATE_ALWAYS: