[vdagent-win PATCH] Avoid to use names with invalid characters.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Check if filename contains invalid characters.
Also this avoid to use paths in the filename which could lead to some
nasty hacks (like names like "..\hack.txt").

Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
 vdagent/file_xfer.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/vdagent/file_xfer.cpp b/vdagent/file_xfer.cpp
index 0e90ebe..2072277 100644
--- a/vdagent/file_xfer.cpp
+++ b/vdagent/file_xfer.cpp
@@ -65,6 +65,10 @@ void FileXfer::handle_start(VDAgentFileXferStartMessage* start,
         return;
     }
     vd_printf("%u %s (%" PRIu64 ")", start->id, file_name, file_size);
+    if (strcspn(file_name, "<>:\"/\\|?*") != strlen(file_name)) {
+        vd_printf("filename contains invalid characters");
+        return;
+    }
     if (!as_user.begin()) {
         vd_printf("as_user failed");
         return;
-- 
2.7.4

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]