|
|
@@ -202,6 +202,11 @@ void SoftwareUpdater::_cbHandleGetLatestVersionBinary(void *arg,int code,const s
|
|
|
}
|
|
|
std::string updatesDir(_r->homePath + ZT_PATH_SEPARATOR_S + "updates.d");
|
|
|
std::string updateFilename(url.substr(lastSlash + 1));
|
|
|
+ if ((updateFilename.length() < 3)||(updateFilename.find("..") != std::string::npos)) {
|
|
|
+ LOG("software update failed: invalid URL: filename contains invalid characters");
|
|
|
+ upd->_status = UPDATE_STATUS_IDLE;
|
|
|
+ return;
|
|
|
+ }
|
|
|
for(std::string::iterator c(updateFilename.begin());c!=updateFilename.end();++c) {
|
|
|
// Only allow a list of whitelisted characters to make up the filename to prevent any
|
|
|
// path shenanigans, esp on Windows where / is not the path separator.
|
Adam Ierymenko