Re: [vdagent-win PATCH] Avoid to use names with reserved characters.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> 
> Hey,
> 
> On Thu, May 24, 2018 at 02:16:06PM +0100, Frediano Ziglio wrote:
> > Some characters are reserved and should not be used in Windows
> > independently by the file system used.
> > This avoid to use paths in the filename which could lead to some
> > nasty hacks (like names like "..\hack.txt").
> > The return statement cause the file transfer to be aborted with
> > VD_AGENT_FILE_XFER_STATUS_ERROR as status.
> > 
> > ":" is used to separate filenames from stream names and can be used
> > to create hidden streams. Also is used for drive separator (A:)
> > or device names (NUL:).
> > "/" and "\" are reserved for components (directory, filename, drive,
> > share, server) separators.
> > "*" and "?" are wildcards (which on Windows are supported by
> > different APIs too).
> > "<", ">" and "|" are reserved for shell usage.
> > 
> > Signed-off-by: Frediano Ziglio <fziglio@xxxxxxxxxx>
> > ---
> >  vdagent/file_xfer.cpp | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > This patch was sent many time ago but I forgot to send with updated
> > commit message.
> > 
> > diff --git a/vdagent/file_xfer.cpp b/vdagent/file_xfer.cpp
> > index e877cca..f604cdf 100644
> > --- a/vdagent/file_xfer.cpp
> > +++ b/vdagent/file_xfer.cpp
> > @@ -72,6 +72,10 @@ void FileXfer::handle_start(VDAgentFileXferStartMessage*
> > start,
> >          return;
> >      }
> >      vd_printf("%u %s (%" PRIu64 ")", start->id, file_name, file_size);
> > +    if (strcspn(file_name, "<>:\"/\\|?*") != strlen(file_name)) {
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1520393 (which you could
> mention in the commit log) also lists ' as a reserved character.

According to Microsoft documentation (and also to manual test) ' is
not reserved, I think was used in the bug as string quotation.

> You filter " here, but did not mention it in the commit log.
> Maybe this could go in a constant? "RESERVED_FILENAME_CHARS" or such?
> 

Sure, sent a new version.

> Christophe
> 
> > +        vd_printf("filename contains invalid characters");
> > +        return;
> > +    }
> >      if (!as_user.begin()) {
> >          vd_printf("as_user failed");
> >          return;

Frediano
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/spice-devel




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]     [Monitors]