[Spice-devel] [vdagent-win PATCH] Avoid to use names with reserved characters.
Frediano Ziglio
fziglio at redhat.com
Fri May 25 11:27:46 UTC 2018
>
> Hey,
>
> On Thu, May 24, 2018 at 02:16:06PM +0100, Frediano Ziglio wrote:
> > Some characters are reserved and should not be used in Windows
> > independently by the file system used.
> > This avoid to use paths in the filename which could lead to some
> > nasty hacks (like names like "..\hack.txt").
> > The return statement cause the file transfer to be aborted with
> > VD_AGENT_FILE_XFER_STATUS_ERROR as status.
> >
> > ":" is used to separate filenames from stream names and can be used
> > to create hidden streams. Also is used for drive separator (A:)
> > or device names (NUL:).
> > "/" and "\" are reserved for components (directory, filename, drive,
> > share, server) separators.
> > "*" and "?" are wildcards (which on Windows are supported by
> > different APIs too).
> > "<", ">" and "|" are reserved for shell usage.
> >
> > Signed-off-by: Frediano Ziglio <fziglio at redhat.com>
> > ---
> > vdagent/file_xfer.cpp | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > This patch was sent many time ago but I forgot to send with updated
> > commit message.
> >
> > diff --git a/vdagent/file_xfer.cpp b/vdagent/file_xfer.cpp
> > index e877cca..f604cdf 100644
> > --- a/vdagent/file_xfer.cpp
> > +++ b/vdagent/file_xfer.cpp
> > @@ -72,6 +72,10 @@ void FileXfer::handle_start(VDAgentFileXferStartMessage*
> > start,
> > return;
> > }
> > vd_printf("%u %s (%" PRIu64 ")", start->id, file_name, file_size);
> > + if (strcspn(file_name, "<>:\"/\\|?*") != strlen(file_name)) {
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1520393 (which you could
> mention in the commit log) also lists ' as a reserved character.
According to Microsoft documentation (and also to manual test) ' is
not reserved, I think was used in the bug as string quotation.
> You filter " here, but did not mention it in the commit log.
> Maybe this could go in a constant? "RESERVED_FILENAME_CHARS" or such?
>
Sure, sent a new version.
> Christophe
>
> > + vd_printf("filename contains invalid characters");
> > + return;
> > + }
> > if (!as_user.begin()) {
> > vd_printf("as_user failed");
> > return;
Frediano
More information about the Spice-devel
mailing list