Protect against malicious servers sending requests with "..". Fixes RH
bug 676252. Credits to Noam Rathaus <noamr@beyondsecurity.com> for finding this bug. git-svn-id: svn://svn.code.sf.net/p/rdesktop/code/rdesktop/trunk@1626 423420c4-83ab-492f-b58f-81f9feb106b5
This commit is contained in:
parent
8939c3b04a
commit
3819f8b56d
13
disk.c
13
disk.c
@ -356,6 +356,19 @@ disk_create(uint32 device_id, uint32 accessmask, uint32 sharemode, uint32 create
|
||||
filename[strlen(filename) - 1] = 0;
|
||||
sprintf(path, "%s%s", g_rdpdr_device[device_id].local_path, filename);
|
||||
|
||||
/* Protect against mailicous servers:
|
||||
somelongpath/.. not allowed
|
||||
somelongpath/../b not allowed
|
||||
somelongpath/..b in principle ok, but currently not allowed
|
||||
somelongpath/b.. ok
|
||||
somelongpath/b..b ok
|
||||
somelongpath/b../c ok
|
||||
*/
|
||||
if (strstr(path, "/.."))
|
||||
{
|
||||
return RD_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
switch (create_disposition)
|
||||
{
|
||||
case CREATE_ALWAYS:
|
||||
|
Loading…
Reference in New Issue
Block a user