[Libreoffice-commits] online.git: loolwsd/ChildSession.cpp
Pranav Kant
pranavk at collabora.co.uk
Thu Jul 21 10:58:10 UTC 2016
loolwsd/ChildSession.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
New commits:
commit 81b14c51f23e534892822150e9a2c0789ba3f86d
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Thu Jul 21 16:01:35 2016 +0530
loolwsd: security: Sanitize user input in downloadAs requests
diff --git a/loolwsd/ChildSession.cpp b/loolwsd/ChildSession.cpp
index 73738b2..6b562dc 100644
--- a/loolwsd/ChildSession.cpp
+++ b/loolwsd/ChildSession.cpp
@@ -788,7 +788,10 @@ bool ChildSession::downloadAs(const char* /*buffer*/, int /*length*/, StringToke
// The file is removed upon downloading.
const auto tmpDir = Util::createRandomDir(JAILED_DOCUMENT_ROOT);
- const auto url = JAILED_DOCUMENT_ROOT + tmpDir + "/" + name;
+ // Prevent user inputting anything funny here.
+ // A "name" should always be a name, not a path
+ const Poco::Path filenameParam(name);
+ const auto url = JAILED_DOCUMENT_ROOT + tmpDir + "/" + filenameParam.getFileName();
std::unique_lock<std::recursive_mutex> lock(Mutex);
More information about the Libreoffice-commits
mailing list