diff options
| author | Michi Henning <michi@zeroc.com> | 2005-02-21 01:13:56 +0000 |
|---|---|---|
| committer | Michi Henning <michi@zeroc.com> | 2005-02-21 01:13:56 +0000 |
| commit | 7076bbd87e954834a2f8a44c39d16b30ff04ab1c (patch) | |
| tree | ceb11cc53a522e8d0d2200b154eb2a9f2069fd58 /cpp/src/IcePatch2/FileServerI.cpp | |
| parent | adding Ice version numbers (diff) | |
| download | ice-7076bbd87e954834a2f8a44c39d16b30ff04ab1c.tar.bz2 ice-7076bbd87e954834a2f8a44c39d16b30ff04ab1c.tar.xz ice-7076bbd87e954834a2f8a44c39d16b30ff04ab1c.zip | |
Added check to server to disallow absolute paths and paths containing "..".
Diffstat (limited to 'cpp/src/IcePatch2/FileServerI.cpp')
| -rw-r--r-- | cpp/src/IcePatch2/FileServerI.cpp | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/cpp/src/IcePatch2/FileServerI.cpp b/cpp/src/IcePatch2/FileServerI.cpp index ae1099f3e3b..845eac2798f 100644 --- a/cpp/src/IcePatch2/FileServerI.cpp +++ b/cpp/src/IcePatch2/FileServerI.cpp @@ -62,13 +62,28 @@ IcePatch2::FileServerI::getChecksum(const Current&) const ByteSeq IcePatch2::FileServerI::getFileCompressed(const string& pa, Int pos, Int num, const Current&) const { + if(isAbsolute(pa)) + { + FileAccessException ex; + ex.reason = "Illegal absolute path: `" + pa + "'"; + throw ex; + } + string path = simplify(_dataDir + '/' + pa); path += ".bz2"; - // - // TODO: Check if path is allowed, i.e., make sure that it neither - // is absolute, nor that it contains illegal "..". - // + string::size_type slashPos = path.find('/'); + while(slashPos != string::npos) + { + string::size_type endPos = path.find('/', slashPos + 1); + if(path.substr(slashPos + 1, endPos - slashPos - 1) == "..") + { + FileAccessException ex; + ex.reason = "Illegal .. component in path: `" + pa + "'"; + throw ex; + } + slashPos = endPos; + } if(num <= 0 || pos < 0) { |