From b958a2d30c69434e1a2b8be927100e16c6eb4554 Mon Sep 17 00:00:00 2001
From: Adam Ierymenko <adam.ierymenko@gmail.com>
Date: Mon, 19 May 2014 16:13:42 +0000
Subject: Redis schema updates and fix for GitHub issue #72

---
 node/SoftwareUpdater.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'node')

diff --git a/node/SoftwareUpdater.cpp b/node/SoftwareUpdater.cpp
index 7cb0d479..02da55db 100644
--- a/node/SoftwareUpdater.cpp
+++ b/node/SoftwareUpdater.cpp
@@ -201,7 +201,17 @@ void SoftwareUpdater::_cbHandleGetLatestVersionBinary(void *arg,int code,const s
 		return;
 	}
 	std::string updatesDir(_r->homePath + ZT_PATH_SEPARATOR_S + "updates.d");
-	std::string updatePath(updatesDir + ZT_PATH_SEPARATOR_S + url.substr(lastSlash + 1));
+	std::string updateFilename(url.substr(lastSlash + 1));
+	for(std::string::iterator c(updateFilename.begin());c!=updateFilename.end();++c) {
+		// Only allow a list of whitelisted characters to make up the filename to prevent any
+		// path shenanigans, esp on Windows where / is not the path separator.
+		if (!strchr("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-_.0123456789",*c)) {
+			LOG("software update failed: invalid URL: filename contains invalid characters");
+			upd->_status = UPDATE_STATUS_IDLE;
+			return;
+		}
+	}
+	std::string updatePath(updatesDir + ZT_PATH_SEPARATOR_S + updateFilename);
 #ifdef __WINDOWS__
 	CreateDirectoryA(updatesDir.c_str(),NULL);
 #else
-- 
cgit v1.2.3