mirror of
https://github.com/ostreedev/ostree.git
synced 2024-12-22 17:35:55 +03:00
core: Validate file names read from directory variants
In a future where we pull data from remote servers, we don't want to allow path uplinks.
This commit is contained in:
parent
4a26be1bef
commit
aa865bbb83
@ -237,6 +237,9 @@ do_resolve_nonroot (OstreeRepoFile *self,
|
||||
g_variant_get_child (container, i, "(&s&s&s)",
|
||||
&name, &content_checksum, &metadata_checksum);
|
||||
|
||||
if (!ot_util_validate_file_name (name, error))
|
||||
goto out;
|
||||
|
||||
if (!ostree_repo_load_variant_checked (self->repo, OSTREE_SERIALIZED_TREE_VARIANT,
|
||||
content_checksum, &tree_contents,
|
||||
error))
|
||||
|
@ -139,6 +139,31 @@ ot_util_filename_has_dotdot (const char *path)
|
||||
return last == '\0' || last == '/';
|
||||
}
|
||||
|
||||
gboolean
|
||||
ot_util_validate_file_name (const char *name,
|
||||
GError **error)
|
||||
{
|
||||
if (strcmp (name, ".") == 0)
|
||||
{
|
||||
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
|
||||
"Invalid self-reference '.' in filename '%s'", name);
|
||||
return FALSE;
|
||||
}
|
||||
if (ot_util_filename_has_dotdot (name))
|
||||
{
|
||||
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
|
||||
"Invalid path uplink '..' in filename '%s'", name);
|
||||
return FALSE;
|
||||
}
|
||||
if (strchr (name, '/') != NULL)
|
||||
{
|
||||
g_set_error (error, G_IO_ERROR, G_IO_ERROR_FAILED,
|
||||
"Invalid / in filename '%s'", name);
|
||||
return FALSE;
|
||||
}
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
GPtrArray *
|
||||
ot_util_path_split (const char *path)
|
||||
{
|
||||
|
@ -45,6 +45,9 @@ void ot_util_fatal_gerror (GError *error) G_GNUC_NORETURN;
|
||||
|
||||
gboolean ot_util_filename_has_dotdot (const char *path);
|
||||
|
||||
gboolean ot_util_validate_file_name (const char *name,
|
||||
GError **error);
|
||||
|
||||
GPtrArray *ot_util_sort_filenames_by_component_length (GPtrArray *files);
|
||||
|
||||
GPtrArray* ot_util_path_split (const char *path);
|
||||
|
Loading…
Reference in New Issue
Block a user