Skip to content

Detect .. in Paths Correctly #2512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 26, 2021
Merged

Detect .. in Paths Correctly #2512

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
61db590
Detect `..` in Paths Correctly
felixhandte Feb 26, 2021
9b7f9d2
Cover These Edge Cases in Tests
felixhandte Feb 26, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion programs/util.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -679,7 +679,27 @@ const char* UTIL_getFileExtension(const char* infilename)

static int pathnameHas2Dots(const char *pathname)
{
return NULL != strstr(pathname, "..");
/* We need to figure out whether any ".." present in the path is a whole
* path token, which is the case if it is bordered on both sides by either
* the beginning/end of the path or by a directory separator.
*/
const char *needle = pathname;
while (1) {
needle = strstr(needle, "..");

if (needle == NULL) {
return 0;
}

if ((needle == pathname || needle[-1] == PATH_SEP)
&& (needle[2] == '\0' || needle[2] == PATH_SEP)) {
return 1;
}

/* increment so we search for the next match */
needle++;
};
return 0;
}

static int isFileNameValidForMirroredOutput(const char *filename)
Expand Down
18 changes: 12 additions & 6 deletions tests/playTests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -486,23 +486,29 @@ rm -rf tmp*
if [ "$isWindows" = false ] ; then
println "\n===> compress multiple files into an output directory and mirror input folder, --output-dir-mirror"
println "test --output-dir-mirror" > tmp1
mkdir -p tmpInputTestDir/we/must/go/deeper
println cool > tmpInputTestDir/we/must/go/deeper/tmp2
mkdir -p tmpInputTestDir/we/.../..must/go/deeper..
println cool > tmpInputTestDir/we/.../..must/go/deeper../tmp2
zstd tmp1 -r tmpInputTestDir --output-dir-mirror tmpOutDir
test -f tmpOutDir/tmp1.zst
test -f tmpOutDir/tmpInputTestDir/we/must/go/deeper/tmp2.zst
test -f tmpOutDir/tmpInputTestDir/we/.../..must/go/deeper../tmp2.zst

println "test: compress input dir will be ignored if it has '..'"
zstd -r tmpInputTestDir/we/must/../must --output-dir-mirror non-exist && die "input cannot contain '..'"
zstd -r tmpInputTestDir/we/.../..must/../..mustgo/deeper.. --output-dir-mirror non-exist && die "input cannot contain '..'"
zstd -r tmpInputTestDir/we/.../..must/deeper../.. --output-dir-mirror non-exist && die "input cannot contain '..'"
zstd -r ../tests/tmpInputTestDir/we/.../..must/deeper.. --output-dir-mirror non-exist && die "input cannot contain '..'"
test ! -d non-exist

println "test: compress input dir should succeed with benign uses of '..'"
zstd -r tmpInputTestDir/we/.../..must/go/deeper.. --output-dir-mirror tmpout
test -d tmpout

println "test : decompress multiple files into an output directory, --output-dir-mirror"
zstd tmpOutDir -r -d --output-dir-mirror tmpOutDirDecomp
test -f tmpOutDirDecomp/tmpOutDir/tmp1
test -f tmpOutDirDecomp/tmpOutDir/tmpInputTestDir/we/must/go/deeper/tmp2
test -f tmpOutDirDecomp/tmpOutDir/tmpInputTestDir/we/.../..must/go/deeper../tmp2

println "test: decompress input dir will be ignored if it has '..'"
zstd -r tmpOutDir/tmpInputTestDir/we/must/../must --output-dir-mirror non-exist && die "input cannot contain '..'"
zstd -r tmpOutDir/tmpInputTestDir/we/.../..must/../..must --output-dir-mirror non-exist && die "input cannot contain '..'"
test ! -d non-exist

rm -rf tmp*
Expand Down