|
Lines 39-44
POSSIBILITY OF SUCH DAMAGE.
Link Here
|
| 39 |
#include <iterator> |
39 |
#include <iterator> |
| 40 |
#include <algorithm> |
40 |
#include <algorithm> |
| 41 |
#include <set> |
41 |
#include <set> |
|
|
42 |
#include <string> |
| 42 |
|
43 |
|
| 43 |
#ifdef _MSC_VER |
44 |
#ifdef _MSC_VER |
| 44 |
#pragma warning(push, 1) |
45 |
#pragma warning(push, 1) |
|
Lines 74-79
namespace
Link Here
|
| 74 |
str += 0x80 | (chr & 0x3f); |
75 |
str += 0x80 | (chr & 0x3f); |
| 75 |
} |
76 |
} |
| 76 |
|
77 |
|
|
|
78 |
bool valid_path_element(std::string const& element) |
| 79 |
{ |
| 80 |
if (element.empty() |
| 81 |
|| element == "." || element == ".." |
| 82 |
|| element[0] == '/' || element[0] == '\\' |
| 83 |
|| element[element.size()-1] == ':') |
| 84 |
return false; |
| 85 |
return true; |
| 86 |
} |
| 87 |
|
| 88 |
fs::path sanitize_path(fs::path const& p) |
| 89 |
{ |
| 90 |
fs::path new_path; |
| 91 |
for (fs::path::const_iterator i = p.begin(); i != p.end(); ++i) |
| 92 |
{ |
| 93 |
if (!valid_path_element(*i)) continue; |
| 94 |
std::string pe = *i; |
| 95 |
new_path /= pe; |
| 96 |
} |
| 97 |
TORRENT_ASSERT(!new_path.is_complete()); |
| 98 |
return new_path; |
| 99 |
} |
| 100 |
|
| 77 |
void verify_encoding(file_entry& target) |
101 |
void verify_encoding(file_entry& target) |
| 78 |
{ |
102 |
{ |
| 79 |
std::string tmp_path; |
103 |
std::string tmp_path; |
|
Lines 184-192
namespace
Link Here
|
| 184 |
for (entry::list_type::const_iterator i = list->begin(); |
208 |
for (entry::list_type::const_iterator i = list->begin(); |
| 185 |
i != list->end(); ++i) |
209 |
i != list->end(); ++i) |
| 186 |
{ |
210 |
{ |
| 187 |
if (i->string() != "..") |
211 |
target.path /= i->string(); |
| 188 |
target.path /= i->string(); |
|
|
| 189 |
} |
212 |
} |
|
|
213 |
target.path = sanitize_path(target.path); |
| 190 |
verify_encoding(target); |
214 |
verify_encoding(target); |
| 191 |
if (target.path.is_complete()) throw std::runtime_error("torrent contains " |
215 |
if (target.path.is_complete()) throw std::runtime_error("torrent contains " |
| 192 |
"a file with an absolute path: '" |
216 |
"a file with an absolute path: '" |
|
Lines 349-371
namespace libtorrent
Link Here
|
| 349 |
else |
373 |
else |
| 350 |
{ m_name = info["name"].string(); } |
374 |
{ m_name = info["name"].string(); } |
| 351 |
|
375 |
|
| 352 |
fs::path tmp = m_name; |
376 |
m_name = sanitize_path(m_name).string(); |
| 353 |
if (tmp.is_complete()) |
377 |
if (!valid_path_element(m_name)) |
| 354 |
{ |
|
|
| 355 |
m_name = tmp.leaf(); |
| 356 |
} |
| 357 |
else if (tmp.has_branch_path()) |
| 358 |
{ |
| 359 |
fs::path p; |
| 360 |
for (fs::path::iterator i = tmp.begin() |
| 361 |
, end(tmp.end()); i != end; ++i) |
| 362 |
{ |
| 363 |
if (*i == "." || *i == "..") continue; |
| 364 |
p /= *i; |
| 365 |
} |
| 366 |
m_name = p.string(); |
| 367 |
} |
| 368 |
if (m_name == ".." || m_name == ".") |
| 369 |
throw std::runtime_error("invalid 'name' of torrent (possible exploit attempt)"); |
378 |
throw std::runtime_error("invalid 'name' of torrent (possible exploit attempt)"); |
| 370 |
|
379 |
|
| 371 |
// extract file list |
380 |
// extract file list |
| 372 |
- |
|
|
