[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-1-0' - loolwsd/ChildProcessSession.cpp
Pranav Kant
pranavk at collabora.co.uk
Thu Jul 21 10:58:47 UTC 2016
loolwsd/ChildProcessSession.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
New commits:
commit 2309e5edf88e5b5e264363fbcc59b89220cc85e8
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Thu Jul 21 16:01:35 2016 +0530
loolwsd: security: Sanitize user input in downloadAs requests
(cherry picked from commit 81b14c51f23e534892822150e9a2c0789ba3f86d)
diff --git a/loolwsd/ChildProcessSession.cpp b/loolwsd/ChildProcessSession.cpp
index 0d07b44..3fe0ea0 100644
--- a/loolwsd/ChildProcessSession.cpp
+++ b/loolwsd/ChildProcessSession.cpp
@@ -788,7 +788,10 @@ bool ChildProcessSession::downloadAs(const char* /*buffer*/, int /*length*/, Str
// The file is removed upon downloading.
const auto tmpDir = Util::createRandomDir(JAILED_DOCUMENT_ROOT);
- const auto url = JAILED_DOCUMENT_ROOT + tmpDir + "/" + name;
+ // Prevent user inputting anything funny here.
+ // A "name" should always be a name, not a path
+ const Poco::Path filenameParam(name);
+ const auto url = JAILED_DOCUMENT_ROOT + tmpDir + "/" + filenameParam.getFileName();
std::unique_lock<std::recursive_mutex> lock(Mutex);
More information about the Libreoffice-commits
mailing list