Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/net-libs/rb_libtorrent/files/rb_libtorrent-0.13-CVE-2009-1760.patch
blob: d91e20689bd3e94b62e6f927939f13c149258311 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

From 160ea4fe2beb1d433c96fc432772fd0122421c95 Mon Sep 17 00:00:00 2001
From: Robert Buchholz <rbu@gentoo.org>
Date: Mon, 8 Jun 2009 12:04:41 +0200
Subject: [PATCH] backport CVE-2009-1760 fix from r3621

---
 src/torrent_info.cpp |   47 ++++++++++++++++++++++++++++-------------------
 1 files changed, 28 insertions(+), 19 deletions(-)

diff --git a/src/torrent_info.cpp b/src/torrent_info.cpp
index 57c8a97..fc6d284 100755
--- a/src/torrent_info.cpp
+++ b/src/torrent_info.cpp
@@ -39,6 +39,7 @@ POSSIBILITY OF SUCH DAMAGE.
 #include <iterator>
 #include <algorithm>
 #include <set>
+#include <string>
 
 #ifdef _MSC_VER
 #pragma warning(push, 1)
@@ -74,6 +75,29 @@ namespace
 		str += 0x80 | (chr & 0x3f);
 	}
 
+	bool valid_path_element(std::string const& element)
+	{
+		if (element.empty()
+			|| element == "." || element == ".."
+			|| element[0] == '/' || element[0] == '\\'
+			|| element[element.size()-1] == ':')
+			return false;
+		return true;
+	}
+
+	fs::path sanitize_path(fs::path const& p)
+	{
+		fs::path new_path;
+		for (fs::path::const_iterator i = p.begin(); i != p.end(); ++i)
+		{
+			if (!valid_path_element(*i)) continue;
+			std::string pe = *i;
+			new_path /= pe;
+		}
+		TORRENT_ASSERT(!new_path.is_complete());
+		return new_path;
+	}
+
 	void verify_encoding(file_entry& target)
 	{
 		std::string tmp_path;
@@ -184,9 +208,9 @@ namespace
 		for (entry::list_type::const_iterator i = list->begin();
 			i != list->end(); ++i)
 		{
-			if (i->string() != "..")
-				target.path /= i->string();
+			target.path /= i->string();
 		}
+		target.path = sanitize_path(target.path);
 		verify_encoding(target);
 		if (target.path.is_complete()) throw std::runtime_error("torrent contains "
 			"a file with an absolute path: '"
@@ -349,23 +373,8 @@ namespace libtorrent
 		else
 		{ m_name = info["name"].string(); }
 		
-		fs::path tmp = m_name;
-  		if (tmp.is_complete())
-  		{
- 			m_name = tmp.leaf();
-  		}
- 		else if (tmp.has_branch_path())
-  		{
- 			fs::path p;
- 			for (fs::path::iterator i = tmp.begin()
- 				, end(tmp.end()); i != end; ++i)
- 			{
- 				if (*i == "." || *i == "..") continue;
- 				p /= *i;
- 			}
- 			m_name = p.string();
- 		}
- 		if (m_name == ".." || m_name == ".")
+		m_name = sanitize_path(m_name).string();
+		if (!valid_path_element(m_name))
  			throw std::runtime_error("invalid 'name' of torrent (possible exploit attempt)");
 	
 		// extract file list
-- 
1.6.3.1