Changeset 14264

Timestamp:

Apr 27, 2014, 8:17:16 PM (9 years ago)

Author:

jordan

Message:

(trunk, libT) #5517 'Don't create or add torrents with "../" at the beginning of the path or "/../" anywhere in the path' -- fixed.

File:

• trunk/libtransmission/metainfo.c (modified) (9 diffs)

trunk/libtransmission/metainfo.c

@@ -31 +31 @@
 ***/
 
+
+#ifdef WIN32
+  #define PATH_DELIMITER_CHARS "/\\"
+#else
+  #define PATH_DELIMITER_CHARS "/"
+#endif
+
+static inline bool
+char_is_path_separator (char c)
+{
+  return strchr(PATH_DELIMITER_CHARS, c) != NULL;
+}
+
 char*
 tr_metainfoGetBasename (const tr_info * inf)
@@ -40 +53 @@
 
   for (i=0; i<name_len; ++i)
-    if (ret[i] == '/')
+    if (char_is_path_separator (ret[i]))
       ret[i] = '_';
 
@@ -61 +74 @@
 
 static bool
-path_is_suspicious (const char * path)
-{
-  return (path == NULL)
-      || (!strncmp (path, "../", 3))
-      || (strstr (path, "/../") != NULL);
+path_component_is_suspicious (const char * component)
+{
+  return (component == NULL)
+      || (*component == '\0')
+      || (strpbrk (component, PATH_DELIMITER_CHARS) != NULL)
+      || (strcmp (component, ".") == 0)
+      || (strcmp (component, "..") == 0);
 }
 
@@ -73 +88 @@
   bool success = false;
 
+  *setme = NULL;
+
+  /* root's already been checked by caller */
+  assert (!path_component_is_suspicious (root));
+
   if (tr_variantIsList (path))
     {
@@ -78 +98 @@
       const int n = tr_variantListSize (path);
 
+      success = true;
       evbuffer_drain (buf, evbuffer_get_length (buf));
       evbuffer_add (buf, root, strlen (root));
+
       for (i=0; i<n; i++)
         {
@@ -85 +107 @@
           const char * str;
 
-          if (tr_variantGetStr (tr_variantListChild (path, i), &str, &len))
+          if (!tr_variantGetStr (tr_variantListChild (path, i), &str, &len) ||
+              path_component_is_suspicious (str))
             {
-              evbuffer_add (buf, TR_PATH_DELIMITER_STR, 1);
-              evbuffer_add (buf, str, len);
+              success = false;
+              break;
             }
-        }
-
+
+          evbuffer_add (buf, TR_PATH_DELIMITER_STR, 1);
+          evbuffer_add (buf, str, len);
+        }
+    }
+
+  if (success)
+    {
       *setme = tr_utf8clean ((char*)evbuffer_pullup (buf, -1), evbuffer_get_length (buf));
-      /* fprintf (stderr, "[%s]\n", *setme); */
-      success = true;
-    }
-
-  if ((*setme != NULL) && path_is_suspicious (*setme))
-    {
-      tr_free (*setme);
-      *setme = NULL;
-      success = false;
+      /*fprintf (stderr, "[%s]\n", *setme);*/
     }
 
@@ -117 +138 @@
     {
       tr_file_index_t i;
-      struct evbuffer * buf = evbuffer_new ();
+      struct evbuffer * buf;
+      const char * result;
+
+      if (path_component_is_suspicious (inf->name))
+        return "path";
+
+      buf = evbuffer_new ();
+      result = NULL;
 
       inf->isMultifile = 1;
@@ -130 +158 @@
           file = tr_variantListChild (files, i);
           if (!tr_variantIsDict (file))
-            return "files";
+            {
+              result = "files";
+              break;
+            }
 
           if (!tr_variantDictFindList (file, TR_KEY_path_utf_8, &path))
             if (!tr_variantDictFindList (file, TR_KEY_path, &path))
-              return "path";
+              {
+                result = "path";
+                break;
+              }
 
           if (!getfile (&inf->files[i].name, inf->name, path, buf))
-            return "path";
+            {
+              result = "path";
+              break;
+            }
 
           if (!tr_variantDictFindInt (file, TR_KEY_length, &len))
-            return "length";
+            {
+              result = "length";
+              break;
+            }
 
           inf->files[i].length = len;
@@ -147 +187 @@
 
       evbuffer_free (buf);
+      return result;
     }
   else if (tr_variantGetInt (length, &len)) /* single-file mode */
     {
-      if (path_is_suspicious (inf->name))
+      if (path_component_is_suspicious (inf->name))
         return "path";