Protect against malicious servers sending requests with "..". Fixes RH
bug 676252. Credits to Noam Rathaus <noamr@beyondsecurity.com> for finding this bug. git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1626 423420c4-83ab-492f-b58f-81f9feb106b5
This commit is contained in:
parent
8939c3b04a
commit
3819f8b56d
13
disk.c
13
disk.c
@ -356,6 +356,19 @@ disk_create(uint32 device_id, uint32 accessmask, uint32 sharemode, uint32 create
|
|||||||
filename[strlen(filename) - 1] = 0;
|
filename[strlen(filename) - 1] = 0;
|
||||||
sprintf(path, "%s%s", g_rdpdr_device[device_id].local_path, filename);
|
sprintf(path, "%s%s", g_rdpdr_device[device_id].local_path, filename);
|
||||||
|
|
||||||
|
/* Protect against mailicous servers:
|
||||||
|
somelongpath/.. not allowed
|
||||||
|
somelongpath/../b not allowed
|
||||||
|
somelongpath/..b in principle ok, but currently not allowed
|
||||||
|
somelongpath/b.. ok
|
||||||
|
somelongpath/b..b ok
|
||||||
|
somelongpath/b../c ok
|
||||||
|
*/
|
||||||
|
if (strstr(path, "/.."))
|
||||||
|
{
|
||||||
|
return RD_STATUS_ACCESS_DENIED;
|
||||||
|
}
|
||||||
|
|
||||||
switch (create_disposition)
|
switch (create_disposition)
|
||||||
{
|
{
|
||||||
case CREATE_ALWAYS:
|
case CREATE_ALWAYS:
|
||||||
|
Loading…
Reference in New Issue
Block a user