From 548eae95f27fc2dbd94f66bdba0d2d4aa0c4082b Mon Sep 17 00:00:00 2001
From: stonedDiscord <10584181+stonedDiscord@users.noreply.github.com>
Date: Mon, 16 Nov 2020 14:49:28 +0100
Subject: [PATCH] filter path traversal

---
 src/path_functions.cpp | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/path_functions.cpp b/src/path_functions.cpp
index 4d5a291..b1d7976 100644
--- a/src/path_functions.cpp
+++ b/src/path_functions.cpp
@@ -101,15 +101,19 @@ QString AOApplication::get_evidence_path(QString p_file)
 
 QString AOApplication::get_case_sensitive_path(QString p_file)
 {
+  QFileInfo file(p_file);
+  QString file_basename = file.fileName();
+
+  // no path traversal above base folder
+  if (!(file.absolutePath().startsWith(get_base_path())))
+      return get_base_path() + file_basename;
+
   #ifdef CASE_SENSITIVE_FILESYSTEM
   // first, check to see if it's actually there (also serves as base case for
   // recursion)
   if (exists(p_file))
     return p_file;
 
-  QFileInfo file(p_file);
-
-  QString file_basename = file.fileName();
   QString file_parent_dir = get_case_sensitive_path(file.absolutePath());
 
   // second, does it exist in the new parent dir?