Bug#863301: marked as done (vcmi: removing a mod can recursively delete $HOME)

Thu, 25 May 2017 00:06:30 -0700 

Your message dated Thu, 25 May 2017 07:03:40 +0000
with message-id <e1ddmo8-0006f0...@fasolo.debian.org>
and subject line Bug#863301: fixed in vcmi 0.99+dfsg-2
has caused the Debian Bug report #863301,
regarding vcmi: removing a mod can recursively delete $HOME
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863301: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863301
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Source: vcmi
Severity: critical
Tags: patch
Justification: causes serious data loss

Under the right circumstances, removing a mod can recursively remove
$HOME. For more details see the upstream bugs:

http://bugs.vcmi.eu/view.php?id=2673

http://bugs.vcmi.eu/view.php?id=2680

Patch is attached.

>From 5d8e943787666543df6b858c001ab4e59b09fe2d Mon Sep 17 00:00:00 2001
From: Arseniy Shestakov <m...@arseniyshestakov.com>
Date: Thu, 25 May 2017 03:03:02 +0300
Subject: [PATCH] Launcher: add sanity checks for QDir::removeRecursively.
 Issue 2673

I'm not always fail to uninstall mod, but when I do I remove $HOME
Bumblebee developers should be proud of us...
---
 launcher/modManager/cmodmanager.cpp | 22 ++++++++++++++++++++--
 launcher/modManager/cmodmanager.h   |  1 +
 2 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/launcher/modManager/cmodmanager.cpp 
b/launcher/modManager/cmodmanager.cpp
index 59fd7faf..99a3df32 100644
--- a/launcher/modManager/cmodmanager.cpp
+++ b/launcher/modManager/cmodmanager.cpp
@@ -245,7 +245,7 @@ bool CModManager::doInstallMod(QString modname, QString 
archivePath)
 
        if (!ZipArchive::extract(qstringToPath(archivePath), 
qstringToPath(destDir)))
        {
-               QDir(destDir + modDirName).removeRecursively();
+               removeModDir(destDir + modDirName);
                return addError(modname, "Failed to extract mod data");
        }
 
@@ -270,7 +270,7 @@ bool CModManager::doUninstallMod(QString modname)
        if (!localMods.contains(modname))
                return addError(modname, "Data with this mod was not found");
 
-       if (!QDir(modDir).removeRecursively())
+       if (!removeModDir(modDir))
                return addError(modname, "Failed to delete mod data");
 
        localMods.remove(modname);
@@ -279,3 +279,21 @@ bool CModManager::doUninstallMod(QString modname)
 
        return true;
 }
+
+bool CModManager::removeModDir(QString path)
+{
+       // issues 2673 and 2680 its why you do not recursively remove without 
sanity check
+       QDir checkDir(path);
+       if(!checkDir.cdUp() || QString::compare("Mods", checkDir.dirName(), 
Qt::CaseInsensitive))
+               return false;
+       if(!checkDir.cdUp() || QString::compare("vcmi", checkDir.dirName(), 
Qt::CaseInsensitive))
+               return false;
+
+       QDir dir(path);
+       if(!dir.absolutePath().contains("vcmi", Qt::CaseInsensitive))
+               return false;
+       if(!dir.absolutePath().contains("Mods", Qt::CaseInsensitive))
+               return false;
+
+       return dir.removeRecursively();
+}
diff --git a/launcher/modManager/cmodmanager.h 
b/launcher/modManager/cmodmanager.h
index 800db6b5..b759ef06 100644
--- a/launcher/modManager/cmodmanager.h
+++ b/launcher/modManager/cmodmanager.h
@@ -18,6 +18,7 @@ class CModManager
 
        QStringList recentErrors;
        bool addError(QString modname, QString message);
+       bool removeModDir(QString mod);
 public:
        CModManager(CModList * modList);
 
-- 
2.11.0

--- End Message ---
--- Begin Message --- 
Source: vcmi
Source-Version: 0.99+dfsg-2

We believe that the bug you reported is fixed in the latest version of
vcmi, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 863...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Johannes Schauer <jo...@debian.org> (supplier of updated vcmi package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 25 May 2017 08:12:26 +0200
Source: vcmi
Binary: vcmi
Architecture: source
Version: 0.99+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Games Team <pkg-games-de...@lists.alioth.debian.org>
Changed-By: Johannes Schauer <jo...@debian.org>
Description:
 vcmi       - Rewrite of the Heroes of Might and Magic 3 game engine
Closes: 863301
Changes:
 vcmi (0.99+dfsg-2) unstable; urgency=medium
 .
   * Add patch from upstream which makes sure that removing a mod cannot
     accidentally recursively delete $HOME (closes: #863301)
Checksums-Sha1:
 858d3ae7d286c94e741c351b0b68e5544effdd0d 2336 vcmi_0.99+dfsg-2.dsc
 619c90af07e7aa5e6f9ca3d30388b99a9d1da3ee 8460 vcmi_0.99+dfsg-2.debian.tar.xz
Checksums-Sha256:
 d4a47fac96b94c8621ff3564919a04b6259081195cdb1bc1d078e443fc43076b 2336 
vcmi_0.99+dfsg-2.dsc
 0b78db1822434f02e0cb6c8459b3c1bb4ada6650a70634dc735db107f7fe5438 8460 
vcmi_0.99+dfsg-2.debian.tar.xz
Files:
 ada6c3ca43a1484faa725a4415e41630 2336 contrib/games optional 
vcmi_0.99+dfsg-2.dsc
 a53f67119fb5b78d27d46e52dd028279 8460 contrib/games optional 
vcmi_0.99+dfsg-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEElFhU6KL81LF4wVq58sulx4+9g+EFAlkmfwkRHGpvc2NoQGRl
Ymlhbi5vcmcACgkQ8sulx4+9g+G2Qg//co13EvP3RHnWwWE42BM/2xh7+GFh95MZ
e2zAx1W4ioBCdw5WsbU0r2Osrt01lF4iwEYP2yhppEzpjujuyLEdZ/8ST6UswuKL
ExJnwugwMM8fRDHev3qBTJ2mGiydqOY9n0QyYrxOUsuQJhijFypO+PJQuWO9uIwH
aBFO3EQ5mepltFVJPLE+RiFUOUZjF8ovftQmEtNQL2gDmelnWM+mZs2xcQSHAxgQ
5Q2f2KPF6IwdJ4GL92Bj+izm4rF1Xqi3PUi0HqZy+U3AL+HAh2EdwPwLQp+Ls103
o7cW3gB0rF6LEdXk0MuT78R6bPS255dB6V6RpxMDhP+bfFm3HRN6fIFGWht9DT+B
G/zNQm0RGYD5jdI9R2OqKc+GIHzSbnINZw9qIzRpZx2g20NPcPhLtBeJBLEHZ1ou
6V6COGi2HXSWTq4AGjy4r+ytnhyVzlRRFwDAWDZmS0vi6pOs9Pg6rZna/ZpwKsxS
a9oWE6AjQnWi1ofLsv38xCe1o5r/imYnfc1yXJWq5UD6rBXLqjpuUjH7NHAPo2mr
3qIQ9CiHwlOTY5ysx/vc2bFh0QDGjd4c5HlBQyAVNG+a6Uznj8qho6mdQ+F7mu1A
EqAukoGf/8YHxZB8kCaMh7as0JTEFbShFJYhIoXPzOqC9TnLpXxxL8OG8yrGIGtF
+wkC/mHNSpM=
=KTyX
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to