Commit f2918767 authored by Max Kellermann's avatar Max Kellermann

mapper: check for "." and ".."

Make map_directory_child_fs() refuse the names "." and "..". This is currently the interface where an attacker may inject a manipulated path (through the "update" command).
parent a5f8d438
...@@ -100,6 +100,11 @@ map_directory_child_fs(const struct directory *directory, const char *name, ...@@ -100,6 +100,11 @@ map_directory_child_fs(const struct directory *directory, const char *name,
char buffer2[MPD_PATH_MAX]; char buffer2[MPD_PATH_MAX];
const char *parent_fs; const char *parent_fs;
/* check for invalid or unauthorized base names */
if (*name == 0 || strchr(name, '/') != NULL ||
strcmp(name, ".") == 0 || strcmp(name, "..") == 0)
return NULL;
parent_fs = map_directory_fs(directory, buffer2); parent_fs = map_directory_fs(directory, buffer2);
if (parent_fs == NULL) if (parent_fs == NULL)
return NULL; return NULL;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment