diff options
| author | Adam Ierymenko <adam.ierymenko@gmail.com> | 2014-05-19 16:13:42 +0000 |
|---|---|---|
| committer | Adam Ierymenko <adam.ierymenko@gmail.com> | 2014-05-19 16:13:42 +0000 |
| commit | b958a2d30c69434e1a2b8be927100e16c6eb4554 (patch) | |
| tree | 71e8e8d55dfc614326845987d9df5bca080151f5 /node | |
| parent | e270887391a2a023a90a80d974a0e54f43d9ed6e (diff) | |
| download | infinitytier-b958a2d30c69434e1a2b8be927100e16c6eb4554.tar.gz infinitytier-b958a2d30c69434e1a2b8be927100e16c6eb4554.zip | |
Redis schema updates and fix for GitHub issue #72
Diffstat (limited to 'node')
| -rw-r--r-- | node/SoftwareUpdater.cpp | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/node/SoftwareUpdater.cpp b/node/SoftwareUpdater.cpp index 7cb0d479..02da55db 100644 --- a/node/SoftwareUpdater.cpp +++ b/node/SoftwareUpdater.cpp @@ -201,7 +201,17 @@ void SoftwareUpdater::_cbHandleGetLatestVersionBinary(void *arg,int code,const s return; } std::string updatesDir(_r->homePath + ZT_PATH_SEPARATOR_S + "updates.d"); - std::string updatePath(updatesDir + ZT_PATH_SEPARATOR_S + url.substr(lastSlash + 1)); + std::string updateFilename(url.substr(lastSlash + 1)); + for(std::string::iterator c(updateFilename.begin());c!=updateFilename.end();++c) { + // Only allow a list of whitelisted characters to make up the filename to prevent any + // path shenanigans, esp on Windows where / is not the path separator. + if (!strchr("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.0123456789",*c)) { + LOG("software update failed: invalid URL: filename contains invalid characters"); + upd->_status = UPDATE_STATUS_IDLE; + return; + } + } + std::string updatePath(updatesDir + ZT_PATH_SEPARATOR_S + updateFilename); #ifdef __WINDOWS__ CreateDirectoryA(updatesDir.c_str(),NULL); #else |