Blame rdesktop-CVE-2011-1595.patch
|
Kalev Lember |
a4a4221 |
Index: disk.c
|
|
Kalev Lember |
a4a4221 |
===================================================================
|
|
Kalev Lember |
a4a4221 |
--- disk.c (revision 1620)
|
|
Kalev Lember |
a4a4221 |
+++ disk.c (arbetskopia)
|
|
Kalev Lember |
a4a4221 |
@@ -356,6 +356,19 @@
|
|
Kalev Lember |
a4a4221 |
filename[strlen(filename) - 1] = 0;
|
|
Kalev Lember |
a4a4221 |
sprintf(path, "%s%s", g_rdpdr_device[device_id].local_path, filename);
|
|
Kalev Lember |
a4a4221 |
|
|
Kalev Lember |
a4a4221 |
+ /* Protect against mailicous servers:
|
|
Kalev Lember |
a4a4221 |
+ somelongpath/.. not allowed
|
|
Kalev Lember |
a4a4221 |
+ somelongpath/../b not allowed
|
|
Kalev Lember |
a4a4221 |
+ somelongpath/..b in principle ok, but currently not allowed
|
|
Kalev Lember |
a4a4221 |
+ somelongpath/b.. ok
|
|
Kalev Lember |
a4a4221 |
+ somelongpath/b..b ok
|
|
Kalev Lember |
a4a4221 |
+ somelongpath/b../c ok
|
|
Kalev Lember |
a4a4221 |
+ */
|
|
Kalev Lember |
a4a4221 |
+ if (strstr(path, "/.."))
|
|
Kalev Lember |
a4a4221 |
+ {
|
|
Kalev Lember |
a4a4221 |
+ return RD_STATUS_ACCESS_DENIED;
|
|
Kalev Lember |
a4a4221 |
+ }
|
|
Kalev Lember |
a4a4221 |
+
|
|
Kalev Lember |
a4a4221 |
switch (create_disposition)
|
|
Kalev Lember |
a4a4221 |
{
|
|
Kalev Lember |
a4a4221 |
case CREATE_ALWAYS:
|