Mamanyonyo/atrooney-online-2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #340 from AttorneyOnline/path-traversal

Browse Source 
Prevent path from escaping base.

Truly the end of an era.
Alexa, play ../../../../../../../../Users/Public/Music/Sample Music/Kalimba.mp3
This commit is contained in:
oldmud0 2020-12-28 00:48:00 -06:00 committed by GitHub
commit 8ed373597b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
src/path_functions.cpp
View File

@ -44,61 +44,37 @@ QString AOApplication::get_data_path() { return get_base_path() + "data/"; }
QString AOApplication::get_default_theme_path(QString p_file) QString AOApplication::get_default_theme_path(QString p_file)
{ {
QString path = get_base_path() + "themes/default/" + p_file; QString path = get_base_path() + "themes/default/" + p_file;
#ifndef CASE_SENSITIVE_FILESYSTEM
return path;
#else
return get_case_sensitive_path(path); return get_case_sensitive_path(path);
#endif
} }
QString AOApplication::get_custom_theme_path(QString p_theme, QString p_file) QString AOApplication::get_custom_theme_path(QString p_theme, QString p_file)
{ {
QString path = get_base_path() + "themes/" + p_theme + "/" + p_file; QString path = get_base_path() + "themes/" + p_theme + "/" + p_file;
#ifndef CASE_SENSITIVE_FILESYSTEM
return path;
#else
return get_case_sensitive_path(path); return get_case_sensitive_path(path);
#endif
} }
QString AOApplication::get_theme_path(QString p_file) QString AOApplication::get_theme_path(QString p_file)
{ {
QString path = get_base_path() + "themes/" + current_theme + "/" + p_file; QString path = get_base_path() + "themes/" + current_theme + "/" + p_file;
#ifndef CASE_SENSITIVE_FILESYSTEM
return path;
#else
return get_case_sensitive_path(path); return get_case_sensitive_path(path);
#endif
} }
QString AOApplication::get_character_path(QString p_char, QString p_file) QString AOApplication::get_character_path(QString p_char, QString p_file)
{ {
QString path = get_base_path() + "characters/" + p_char + "/" + p_file; QString path = get_base_path() + "characters/" + p_char + "/" + p_file;
#ifndef CASE_SENSITIVE_FILESYSTEM
return path;
#else
return get_case_sensitive_path(path); return get_case_sensitive_path(path);
#endif
} }
QString AOApplication::get_sounds_path(QString p_file) QString AOApplication::get_sounds_path(QString p_file)
{ {
QString path = get_base_path() + "sounds/general/" + p_file; QString path = get_base_path() + "sounds/general/" + p_file;
#ifndef CASE_SENSITIVE_FILESYSTEM
return path;
#else
return get_case_sensitive_path(path); return get_case_sensitive_path(path);
#endif
} }
QString AOApplication::get_music_path(QString p_song) QString AOApplication::get_music_path(QString p_song)
{ {
QString path = get_base_path() + "sounds/music/" + p_song; QString path = get_base_path() + "sounds/music/" + p_song;
#ifndef CASE_SENSITIVE_FILESYSTEM
return path;
#else
return get_case_sensitive_path(path); return get_case_sensitive_path(path);
#endif
} }
QString AOApplication::get_background_path(QString p_file) QString AOApplication::get_background_path(QString p_file)
@ -106,11 +82,7 @@ QString AOApplication::get_background_path(QString p_file)
QString path = get_base_path() + "background/" + QString path = get_base_path() + "background/" +
w_courtroom->get_current_background() + "/" + p_file; w_courtroom->get_current_background() + "/" + p_file;
if (courtroom_constructed) { if (courtroom_constructed) {
#ifndef CASE_SENSITIVE_FILESYSTEM
return path;
#else
return get_case_sensitive_path(path); return get_case_sensitive_path(path);
#endif
} }
return get_default_background_path(p_file); return get_default_background_path(p_file);
} }
@ -118,33 +90,30 @@ QString AOApplication::get_background_path(QString p_file)
QString AOApplication::get_default_background_path(QString p_file) QString AOApplication::get_default_background_path(QString p_file)
{ {
QString path = get_base_path() + "background/default/" + p_file; QString path = get_base_path() + "background/default/" + p_file;
#ifndef CASE_SENSITIVE_FILESYSTEM
return path;
#else
return get_case_sensitive_path(path); return get_case_sensitive_path(path);
#endif
} }
QString AOApplication::get_evidence_path(QString p_file) QString AOApplication::get_evidence_path(QString p_file)
{ {
QString path = get_base_path() + "evidence/" + p_file; QString path = get_base_path() + "evidence/" + p_file;
#ifndef CASE_SENSITIVE_FILESYSTEM
return path;
#else
return get_case_sensitive_path(path); return get_case_sensitive_path(path);
#endif
} }
QString AOApplication::get_case_sensitive_path(QString p_file) QString AOApplication::get_case_sensitive_path(QString p_file)
{ {
QFileInfo file(p_file);
QString file_basename = file.fileName();
// no path traversal above base folder
if (!(file.absolutePath().startsWith(get_base_path())))
return get_base_path() + file_basename;
#ifdef CASE_SENSITIVE_FILESYSTEM
// first, check to see if it's actually there (also serves as base case for // first, check to see if it's actually there (also serves as base case for
// recursion) // recursion)
if (exists(p_file)) if (exists(p_file))
return p_file; return p_file;
QFileInfo file(p_file);
QString file_basename = file.fileName();
QString file_parent_dir = get_case_sensitive_path(file.absolutePath()); QString file_parent_dir = get_case_sensitive_path(file.absolutePath());
// second, does it exist in the new parent dir? // second, does it exist in the new parent dir?
@ -163,4 +132,7 @@ QString AOApplication::get_case_sensitive_path(QString p_file)
// if nothing is found, let the caller handle the missing file // if nothing is found, let the caller handle the missing file
return file_parent_dir + "/" + file_basename; return file_parent_dir + "/" + file_basename;
#else
return p_file;
#endif
} }