Mercurial Mercurial > upstream > oracle > userland-gate / file revision
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/desktop/rdesktop/patches/rdesktop-04-remote-file-access.patch
author Niveditha Rau <Niveditha.Rau@Oracle.COM>
Wed, 16 Nov 2016 18:51:09 -0800
changeset 7330 e40cd9caccc7
permissions -rw-r--r--
23245493 Move rdesktop 1.6.0 to Userland

Existing set of patches from the desktop gate.  Potentially send upstream

--- rdesktop-1.6.0.orig/disk.c	2008-02-16 01:13:25.000000000 +0100
+++ rdesktop-1.6.0/disk.c	2011-06-13 18:29:54.232977906 +0200
@@ -356,6 +356,19 @@
 		filename[strlen(filename) - 1] = 0;
 	sprintf(path, "%s%s", g_rdpdr_device[device_id].local_path, filename);
 
+	/* Protect against mailicous servers:
+	   somelongpath/..     # not allowed
+	               /../b   # not allowed
+                      /..b    # currently not allowed
+                      /b..    # allowed
+                      /b..b   # allowed
+                      /b../c  # allowed
+        */
+        if (strstr(path, "/.."))
+        {
+            return RD_STATUS_ACCESS_DENIED;
+        }
+
 	switch (create_disposition)
 	{
 		case CREATE_ALWAYS:
upstream/oracle/userland-gate