summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreyL ProductEngine <alihatskiy@productengine.com>2017-04-19 21:19:04 +0300
committerAndreyL ProductEngine <alihatskiy@productengine.com>2017-04-19 21:19:04 +0300
commitd4d56f004a528ea0cada526132dd77bd410a8fe7 (patch)
tree5c25827ad3c2cfb63f74af23eeb658bd2b19b66c
parent1c5bdf4bdcc4acb23e5042f58b33b78e2a4b8552 (diff)
MAINT-7074 Fixed ability to escape from skin directory with <icon>
-rwxr-xr-xdoc/contributions.txt2
-rw-r--r--indra/llvfs/lldir.cpp11
2 files changed, 11 insertions, 2 deletions
diff --git a/doc/contributions.txt b/doc/contributions.txt
index 2272ec7922..eb012ee318 100755
--- a/doc/contributions.txt
+++ b/doc/contributions.txt
@@ -771,6 +771,8 @@ Kadah Coba
STORM-1060
STORM-1843
Jondan Lundquist
+Joosten Briebers
+ MAINT-7074
Josef Munster
Josette Windlow
Juilan Tripsa
diff --git a/indra/llvfs/lldir.cpp b/indra/llvfs/lldir.cpp
index 86a15f2ef2..924e1166ee 100644
--- a/indra/llvfs/lldir.cpp
+++ b/indra/llvfs/lldir.cpp
@@ -720,6 +720,15 @@ std::vector<std::string> LLDir::findSkinnedFilenames(const std::string& subdir,
<< ((constraint == CURRENT_SKIN)? "CURRENT_SKIN" : "ALL_SKINS")
<< LL_ENDL;
+ // Build results vector.
+ std::vector<std::string> results;
+ // Disallow filenames that may escape subdir
+ if (filename.find("..") != std::string::npos)
+ {
+ LL_WARNS("LLDir") << "Ignoring potentially relative filename '" << filename << "'" << LL_ENDL;
+ return results;
+ }
+
// Cache the default language directory for each subdir we've encountered.
// A cache entry whose value is the empty string means "not localized,
// don't bother checking again."
@@ -784,8 +793,6 @@ std::vector<std::string> LLDir::findSkinnedFilenames(const std::string& subdir,
}
}
- // Build results vector.
- std::vector<std::string> results;
// The process we use depends on 'constraint'.
if (constraint != CURRENT_SKIN) // meaning ALL_SKINS
{