Some characters are reserved and should not be used in Windows
independently by the file system used.
This avoid to use paths in the filename which could lead to some
nasty hacks (like names like "..\hack.txt").
":" is used to separate filenames from stream names and can be used
to create hidden streams. Also is used for drive separator (A:)
or device names (NUL:).
"/" and "\" are reserved for components (directory, filename, drive,
share, server) separators.
"*" and "?" are wildcards (which on Windows are supported by
different APIs too).
"<", ">" and "|" are reserved for shell usage.
Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
---
vdagent/file_xfer.cpp | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/vdagent/file_xfer.cpp b/vdagent/file_xfer.cpp
index 0e90ebe..2072277 100644
--- a/vdagent/file_xfer.cpp
+++ b/vdagent/file_xfer.cpp
@@ -65,6 +65,10 @@ void FileXfer::handle_start(VDAgentFileXferStartMessage* start,
return;
}
vd_printf("%u %s (%" PRIu64 ")", start->id, file_name, file_size);
+ if (strcspn(file_name, "<>:\"/\\|?*") != strlen(file_name)) {
+ vd_printf("filename contains invalid characters");
+ return;
+ }
if (!as_user.begin()) {
vd_printf("as_user failed");
return;
--
2.7.4
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel