From b59ac959fcf2f1f0435f965d2c7279f529f1ce5c Mon Sep 17 00:00:00 2001
From: Ansariel <none@none>
Date: Thu, 27 Apr 2017 19:19:11 +0200
Subject: MAINT-6519 Contribution, adds feature to replace inventory links

---
 doc/contributions.txt | 1 +
 1 file changed, 1 insertion(+)

(limited to 'doc')

diff --git a/doc/contributions.txt b/doc/contributions.txt
index 0fb6110adb..2272ec7922 100755
--- a/doc/contributions.txt
+++ b/doc/contributions.txt
@@ -214,6 +214,7 @@ Ansariel Hiller
 	MAINT-6953
 	MAINT-7028
 	MAINT-7059
+	MAINT-6519
 Aralara Rajal
 Arare Chantilly
 	CHUIBUG-191
-- 
cgit v1.3


From d4d56f004a528ea0cada526132dd77bd410a8fe7 Mon Sep 17 00:00:00 2001
From: AndreyL ProductEngine <alihatskiy@productengine.com>
Date: Wed, 19 Apr 2017 21:19:04 +0300
Subject: MAINT-7074 Fixed ability to escape from skin directory with <icon>

---
 doc/contributions.txt |  2 ++
 indra/llvfs/lldir.cpp | 11 +++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

(limited to 'doc')

diff --git a/doc/contributions.txt b/doc/contributions.txt
index 2272ec7922..eb012ee318 100755
--- a/doc/contributions.txt
+++ b/doc/contributions.txt
@@ -771,6 +771,8 @@ Kadah Coba
 	STORM-1060
     STORM-1843
 Jondan Lundquist
+Joosten Briebers
+    MAINT-7074
 Josef Munster
 Josette Windlow
 Juilan Tripsa
diff --git a/indra/llvfs/lldir.cpp b/indra/llvfs/lldir.cpp
index 86a15f2ef2..924e1166ee 100644
--- a/indra/llvfs/lldir.cpp
+++ b/indra/llvfs/lldir.cpp
@@ -720,6 +720,15 @@ std::vector<std::string> LLDir::findSkinnedFilenames(const std::string& subdir,
 					   << ((constraint == CURRENT_SKIN)? "CURRENT_SKIN" : "ALL_SKINS")
 					   << LL_ENDL;
 
+	// Build results vector.
+	std::vector<std::string> results;
+	// Disallow filenames that may escape subdir
+	if (filename.find("..") != std::string::npos)
+	{
+		LL_WARNS("LLDir") << "Ignoring potentially relative filename '" << filename << "'" << LL_ENDL;
+		return results;
+	}
+
 	// Cache the default language directory for each subdir we've encountered.
 	// A cache entry whose value is the empty string means "not localized,
 	// don't bother checking again."
@@ -784,8 +793,6 @@ std::vector<std::string> LLDir::findSkinnedFilenames(const std::string& subdir,
 		}
 	}
 
-	// Build results vector.
-	std::vector<std::string> results;
 	// The process we use depends on 'constraint'.
 	if (constraint != CURRENT_SKIN) // meaning ALL_SKINS
 	{
-- 
cgit v1.3