Am Dienstag 12 Juni 2007 15:41 schrieb Frederic Danis:
> - if (strstr(name, "/../"))
> + if ((strstr(name, "/")) || (strncmp(name, "..", 2) == 0))
> {
Both versions are incorrect, try the following:
if (strncmp(name,"../", 3) == 0 ||
strcmp(name, "..") == 0 ||
(strlen(name) > 3 &&
(strstr(name,"/../") != NULL ||
strncmp(name+strlen(name)-3,"/..",3) == 0)))
{
A server should possible deny any such path.
Other stuff should prepend this: '\\'->'/' and removing any leading '/'.
HS
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Openobex-users mailing list
[email protected]
http://lists.sourceforge.net/lists/listinfo/openobex-users
