Re: [vdagent-win PATCH] Avoid to use names with reserved characters.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey,

On Thu, May 24, 2018 at 02:16:06PM +0100, Frediano Ziglio wrote:
> Some characters are reserved and should not be used in Windows
> independently by the file system used.
> This avoid to use paths in the filename which could lead to some
> nasty hacks (like names like "..\hack.txt").
> The return statement cause the file transfer to be aborted with
> VD_AGENT_FILE_XFER_STATUS_ERROR as status.
> 
> ":" is used to separate filenames from stream names and can be used
> to create hidden streams. Also is used for drive separator (A:)
> or device names (NUL:).
> "/" and "\" are reserved for components (directory, filename, drive,
> share, server) separators.
> "*" and "?" are wildcards (which on Windows are supported by
> different APIs too).
> "<", ">" and "|" are reserved for shell usage.
> 
> Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
> ---
>  vdagent/file_xfer.cpp | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> This patch was sent many time ago but I forgot to send with updated
> commit message.
> 
> diff --git a/vdagent/file_xfer.cpp b/vdagent/file_xfer.cpp
> index e877cca..f604cdf 100644
> --- a/vdagent/file_xfer.cpp
> +++ b/vdagent/file_xfer.cpp
> @@ -72,6 +72,10 @@ void FileXfer::handle_start(VDAgentFileXferStartMessage* start,
>          return;
>      }
>      vd_printf("%u %s (%" PRIu64 ")", start->id, file_name, file_size);
> +    if (strcspn(file_name, "<>:\"/\\|?*") != strlen(file_name)) {

https://bugzilla.redhat.com/show_bug.cgi?id=1520393 (which you could
mention in the commit log) also lists ' as a reserved character.
You filter " here, but did not mention it in the commit log.
Maybe this could go in a constant? "RESERVED_FILENAME_CHARS" or such?

Christophe

> +        vd_printf("filename contains invalid characters");
> +        return;
> +    }
>      if (!as_user.begin()) {
>          vd_printf("as_user failed");
>          return;
> -- 
> 2.17.0
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> https://lists.freedesktop.org/mailman/listinfo/spice-devel

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel
[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]