From 10298230ce72c6b00336fb0ca099ba747d4cb421 Mon Sep 17 00:00:00 2001 From: stonedDiscord <10584181+stonedDiscord@users.noreply.github.com> Date: Mon, 16 Nov 2020 14:32:04 +0100 Subject: [PATCH 1/2] clean up path functions --- src/path_functions.cpp | 40 ++++------------------------------------ 1 file changed, 4 insertions(+), 36 deletions(-) diff --git a/src/path_functions.cpp b/src/path_functions.cpp index 10c8ae5..4d5a291 100644 --- a/src/path_functions.cpp +++ b/src/path_functions.cpp @@ -44,61 +44,37 @@ QString AOApplication::get_data_path() { return get_base_path() + "data/"; } QString AOApplication::get_default_theme_path(QString p_file) { QString path = get_base_path() + "themes/default/" + p_file; -#ifndef CASE_SENSITIVE_FILESYSTEM - return path; -#else return get_case_sensitive_path(path); -#endif } QString AOApplication::get_custom_theme_path(QString p_theme, QString p_file) { QString path = get_base_path() + "themes/" + p_theme + "/" + p_file; -#ifndef CASE_SENSITIVE_FILESYSTEM - return path; -#else return get_case_sensitive_path(path); -#endif } QString AOApplication::get_theme_path(QString p_file) { QString path = get_base_path() + "themes/" + current_theme + "/" + p_file; -#ifndef CASE_SENSITIVE_FILESYSTEM - return path; -#else return get_case_sensitive_path(path); -#endif } QString AOApplication::get_character_path(QString p_char, QString p_file) { QString path = get_base_path() + "characters/" + p_char + "/" + p_file; -#ifndef CASE_SENSITIVE_FILESYSTEM - return path; -#else return get_case_sensitive_path(path); -#endif } QString AOApplication::get_sounds_path(QString p_file) { QString path = get_base_path() + "sounds/general/" + p_file; -#ifndef CASE_SENSITIVE_FILESYSTEM - return path; -#else return get_case_sensitive_path(path); -#endif } QString AOApplication::get_music_path(QString p_song) { QString path = get_base_path() + "sounds/music/" + p_song; -#ifndef CASE_SENSITIVE_FILESYSTEM - return path; -#else return get_case_sensitive_path(path); -#endif } QString AOApplication::get_background_path(QString p_file) @@ -106,11 +82,7 @@ QString AOApplication::get_background_path(QString p_file) QString path = get_base_path() + "background/" + w_courtroom->get_current_background() + "/" + p_file; if (courtroom_constructed) { -#ifndef CASE_SENSITIVE_FILESYSTEM - return path; -#else return get_case_sensitive_path(path); -#endif } return get_default_background_path(p_file); } @@ -118,25 +90,18 @@ QString AOApplication::get_background_path(QString p_file) QString AOApplication::get_default_background_path(QString p_file) { QString path = get_base_path() + "background/default/" + p_file; -#ifndef CASE_SENSITIVE_FILESYSTEM - return path; -#else return get_case_sensitive_path(path); -#endif } QString AOApplication::get_evidence_path(QString p_file) { QString path = get_base_path() + "evidence/" + p_file; -#ifndef CASE_SENSITIVE_FILESYSTEM - return path; -#else return get_case_sensitive_path(path); -#endif } QString AOApplication::get_case_sensitive_path(QString p_file) { + #ifdef CASE_SENSITIVE_FILESYSTEM // first, check to see if it's actually there (also serves as base case for // recursion) if (exists(p_file)) @@ -163,4 +128,7 @@ QString AOApplication::get_case_sensitive_path(QString p_file) // if nothing is found, let the caller handle the missing file return file_parent_dir + "/" + file_basename; +#else + return p_file; +#endif } From 548eae95f27fc2dbd94f66bdba0d2d4aa0c4082b Mon Sep 17 00:00:00 2001 From: stonedDiscord <10584181+stonedDiscord@users.noreply.github.com> Date: Mon, 16 Nov 2020 14:49:28 +0100 Subject: [PATCH 2/2] filter path traversal --- src/path_functions.cpp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/path_functions.cpp b/src/path_functions.cpp index 4d5a291..b1d7976 100644 --- a/src/path_functions.cpp +++ b/src/path_functions.cpp @@ -101,15 +101,19 @@ QString AOApplication::get_evidence_path(QString p_file) QString AOApplication::get_case_sensitive_path(QString p_file) { + QFileInfo file(p_file); + QString file_basename = file.fileName(); + + // no path traversal above base folder + if (!(file.absolutePath().startsWith(get_base_path()))) + return get_base_path() + file_basename; + #ifdef CASE_SENSITIVE_FILESYSTEM // first, check to see if it's actually there (also serves as base case for // recursion) if (exists(p_file)) return p_file; - QFileInfo file(p_file); - - QString file_basename = file.fileName(); QString file_parent_dir = get_case_sensitive_path(file.absolutePath()); // second, does it exist in the new parent dir?