UNLOZE/sourcemod
10
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Disallow ".." to appear in paths from the updater.

Browse Source
This commit is contained in:
David Anderson 2009-02-17 16:58:17 -05:00
parent 3d7b0db114
commit ed51d5cf84
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
extensions/updater/extension.cpp
View File

@ -127,6 +127,12 @@ static void PumpUpdate(void *data)
UpdatePart *part = (UpdatePart*)data; UpdatePart *part = (UpdatePart*)data;
while (part != NULL) while (part != NULL)
{ {
if (strstr(part->file, "..") != NULL)
{
/* Naughty naughty */
AddUpdateError("Detected invalid path escape (..): %s", part->file);
goto skip_create;
}
if (part->data == NULL) if (part->data == NULL)
{ {
smutils->BuildPath(Path_SM, path, sizeof(path), "gamedata/%s", part->file); smutils->BuildPath(Path_SM, path, sizeof(path), "gamedata/%s", part->file);
@ -158,6 +164,7 @@ static void PumpUpdate(void *data)
"Successfully updated gamedata file \"%s\"", "Successfully updated gamedata file \"%s\"",
part->file); part->file);
} }
skip_create:
temp = part->next; temp = part->next;
free(part->data); free(part->data);
free(part->file); free(part->file);