loolwsd/ChildProcessSession.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
New commits: commit 2309e5edf88e5b5e264363fbcc59b89220cc85e8 Author: Pranav Kant <pran...@collabora.co.uk> Date: Thu Jul 21 16:01:35 2016 +0530 loolwsd: security: Sanitize user input in downloadAs requests (cherry picked from commit 81b14c51f23e534892822150e9a2c0789ba3f86d) diff --git a/loolwsd/ChildProcessSession.cpp b/loolwsd/ChildProcessSession.cpp index 0d07b44..3fe0ea0 100644 --- a/loolwsd/ChildProcessSession.cpp +++ b/loolwsd/ChildProcessSession.cpp @@ -788,7 +788,10 @@ bool ChildProcessSession::downloadAs(const char* /*buffer*/, int /*length*/, Str // The file is removed upon downloading. const auto tmpDir = Util::createRandomDir(JAILED_DOCUMENT_ROOT); - const auto url = JAILED_DOCUMENT_ROOT + tmpDir + "/" + name; + // Prevent user inputting anything funny here. + // A "name" should always be a name, not a path + const Poco::Path filenameParam(name); + const auto url = JAILED_DOCUMENT_ROOT + tmpDir + "/" + filenameParam.getFileName(); std::unique_lock<std::recursive_mutex> lock(Mutex); _______________________________________________ Libreoffice-commits mailing list libreoffice-comm...@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits