View the DQSD CVS repository here:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/dqsd/
Update of /cvsroot/dqsd/dqsd/src/DQSDTools
In directory sc8-pr-cvs1:/tmp/cvs-serv11273/src/DQSDTools
Modified Files:
Launcher.cpp Launcher.h
Log Message:
limited Read/WriteFile to the installation directory tree and
limited Read/WriteFile to not read/write dlls and exes
limited RenameFile to not rename dll , exe, bat, and cmd files
Index: Launcher.cpp
===================================================================
RCS file: /cvsroot/dqsd/dqsd/src/DQSDTools/Launcher.cpp,v
retrieving revision 1.39
retrieving revision 1.40
diff -C2 -d -r1.39 -r1.40
*** Launcher.cpp 29 Jun 2003 14:41:29 -0000 1.39
--- Launcher.cpp 29 Jun 2003 22:19:05 -0000 1.40
***************
*** 235,238 ****
--- 235,257 ----
if ( FAILED( hr ) )
return hr;
+
+ // Get the installation directory from the registry to use for making sure the
filenames are in the install path
+ TCHAR szInstallDir[ _MAX_PATH ];
+ hr = GetInstallationDirectory(szInstallDir, sizeof(szInstallDir));
+ if (FAILED ( hr) )
+ return hr;
+
+ // Make sure from filename is in the installation directory tree
+ if (!VerifyFileInDirectoryTree(szFilename, szInstallDir))
+ {
+ return Error(_T("Filename is not in the installation directory
tree."), IID_ILauncher, E_FAIL);
+ }
+
+ // Make sure it's extension is not one of the bad extensions
+ TCHAR *szBadExtensions = _T(".exe;.dll");
+ if (IsFileExtension(szFilename, szBadExtensions))
+ {
+ return Error(_T("Can't read that type of file."), IID_ILauncher,
E_FAIL);
+ }
// Try to open the file
***************
*** 270,273 ****
--- 289,311 ----
if ( FAILED( hr ) )
return hr;
+
+ // Get the installation directory from the registry to use for making sure the
filenames are in the install path
+ TCHAR szInstallDir[ _MAX_PATH ];
+ hr = GetInstallationDirectory(szInstallDir, sizeof(szInstallDir));
+ if (FAILED ( hr) )
+ return hr;
+
+ // Make sure from filename is in the installation directory tree
+ if (!VerifyFileInDirectoryTree(szFilename, szInstallDir))
+ {
+ return Error(_T("Filename is not in the installation directory
tree."), IID_ILauncher, E_FAIL);
+ }
+
+ // Make sure it's extension is not one of the bad extensions
+ TCHAR *szBadExtensions = _T(".exe;.dll");
+ if (IsFileExtension(szFilename, szBadExtensions))
+ {
+ return Error(_T("Can't write that type of file."), IID_ILauncher,
E_FAIL);
+ }
HANDLE hFile = ::CreateFile( szFilename, GENERIC_WRITE, FILE_SHARE_READ, NULL,
CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
***************
*** 704,707 ****
--- 742,757 ----
return hr;
+ // Get the installation directory from the registry to use for making sure the
filenames are in the install path
+ TCHAR szInstallDir[ _MAX_PATH ];
+ hr = GetInstallationDirectory(szInstallDir, sizeof(szInstallDir));
+ if (FAILED ( hr) )
+ return hr;
+
+ // Make sure from filename is in the installation directory tree
+ if (!VerifyFileInDirectoryTree(szFilename, szInstallDir))
+ {
+ return Error(_T("Filename is not in the installation directory
tree."), IID_ILauncher, E_FAIL);
+ }
+
DWORD dwAttributes = ::GetFileAttributes(szFilename);
#pragma warning(disable: 4310) // cast truncates constant value
***************
*** 736,739 ****
--- 786,796 ----
}
+ // Make sure it's extension is not one of the bad extensions
+ TCHAR *szBadExtensions = _T(".exe;.dll;.bat;.cmd");
+ if (IsFileExtension(szFromFilename, szBadExtensions))
+ {
+ return Error(_T("Can't rename that type of file."), IID_ILauncher,
E_FAIL);
+ }
+
// add extra \0 for SHFileOperation call
szFromFilename[lstrlen(szFromFilename)+1] = '\0';
***************
*** 764,767 ****
--- 821,830 ----
}
+ // Make sure it's extension is not one of the bad extensions
+ if (IsFileExtension(szToFilename, szBadExtensions))
+ {
+ return Error(_T("Can't rename that type of file."), IID_ILauncher,
E_FAIL);
+ }
+
// add extra \0 for SHFileOperation call
szToFilename[lstrlen(szToFilename)+1] = '\0';
***************
*** 863,864 ****
--- 926,949 ----
return S_OK;
}
+
+ BOOL CLauncher::IsFileExtension( LPCTSTR szFilename, LPCTSTR szExts)
+ {
+ // szExts expects a string in the format ".ext1;.ext2" - notice the . must be
included as well
+ LPTSTR szFileExt = ::PathFindExtension(szFilename);
+ LPTSTR szSeps = _T(";");
+ LPTSTR szTempExts = _tcsdup(szExts); // make a copy of szExts because it
modifies the buffer
+ LPTSTR szToken = _tcstok( szTempExts, szSeps);
+ BOOL retval = FALSE;
+
+ while (szToken != NULL)
+ {
+ if (_tcsicmp(szFileExt, szToken) == 0)
+ {
+ retval = TRUE;
+ break;
+ }
+ szToken = _tcstok( NULL, szSeps);
+ }
+ free(szTempExts);
+ return retval;
+ }
\ No newline at end of file
Index: Launcher.h
===================================================================
RCS file: /cvsroot/dqsd/dqsd/src/DQSDTools/Launcher.h,v
retrieving revision 1.22
retrieving revision 1.23
diff -C2 -d -r1.22 -r1.23
*** Launcher.h 28 Jun 2003 17:32:03 -0000 1.22
--- Launcher.h 29 Jun 2003 22:19:05 -0000 1.23
***************
*** 108,111 ****
--- 108,112 ----
HRESULT GetInstallationDirectory( LPTSTR szResult, DWORD dwResultSize);
BOOL VerifyFileInDirectoryTree( LPCTSTR szFilename, LPCTSTR szDir);
+ BOOL IsFileExtension( LPCTSTR szFilename, LPCTSTR szExts);
};
-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01
_______________________________________________
DQSD-CVS mailing list
https://lists.sourceforge.net/lists/listinfo/dqsd-cvs
DQSD CVS repository:
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/dqsd/
