[Libreoffice-commits] online.git: loolwsd/ChildSession.cpp

Pranav Kant pranavk at collabora.co.uk
Thu Jul 21 10:58:10 UTC 2016


 loolwsd/ChildSession.cpp |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

New commits:
commit 81b14c51f23e534892822150e9a2c0789ba3f86d
Author: Pranav Kant <pranavk at collabora.co.uk>
Date:   Thu Jul 21 16:01:35 2016 +0530

    loolwsd: security: Sanitize user input in downloadAs requests

diff --git a/loolwsd/ChildSession.cpp b/loolwsd/ChildSession.cpp
index 73738b2..6b562dc 100644
--- a/loolwsd/ChildSession.cpp
+++ b/loolwsd/ChildSession.cpp
@@ -788,7 +788,10 @@ bool ChildSession::downloadAs(const char* /*buffer*/, int /*length*/, StringToke
 
     // The file is removed upon downloading.
     const auto tmpDir = Util::createRandomDir(JAILED_DOCUMENT_ROOT);
-    const auto url = JAILED_DOCUMENT_ROOT + tmpDir + "/" + name;
+    // Prevent user inputting anything funny here.
+    // A "name" should always be a name, not a path
+    const Poco::Path filenameParam(name);
+    const auto url = JAILED_DOCUMENT_ROOT + tmpDir + "/" + filenameParam.getFileName();
 
     std::unique_lock<std::recursive_mutex> lock(Mutex);
 


More information about the Libreoffice-commits mailing list