diff -uNr libdigidoc-3.6.0.0/libdigidoc/DigiDocError.c libdigidoc-3.6.0.0p/libdigidoc/DigiDocError.c --- libdigidoc-3.6.0.0/libdigidoc/DigiDocError.c 2012-07-02 08:57:22.000000000 +0300 +++ libdigidoc-3.6.0.0p/libdigidoc/DigiDocError.c 2013-08-28 19:08:10.109888635 +0300 @@ -182,6 +182,7 @@ /* ERR_DATAFILE_NOT_MANIFEST */ { "Datafile is not described in manifest.xml!", USER }, /* ERR_SIG_INVALID_PROFILE */ { "Signature does not correspond to profile in manifest.xml!", USER }, /* ERR_SIGNERS_CERT_NON_REPU */ { "Signers cert does not have non-repudiation bit set!", USER }, +/* ERR_DF_NAME */ { "Failed to parse DataFile name. Invalid file name!", USER }, /* */ {"", NO_ERRORS} }; diff -uNr libdigidoc-3.6.0.0/libdigidoc/DigiDocError.h libdigidoc-3.6.0.0p/libdigidoc/DigiDocError.h --- libdigidoc-3.6.0.0/libdigidoc/DigiDocError.h 2012-07-02 08:57:22.000000000 +0300 +++ libdigidoc-3.6.0.0p/libdigidoc/DigiDocError.h 2013-08-28 19:10:30.239884113 +0300 @@ -200,8 +200,9 @@ #define ERR_DATAFILE_NOT_MANIFEST 160 #define ERR_SIG_INVALID_PROFILE 161 #define ERR_SIGNERS_CERT_NON_REPU 162 +#define ERR_DF_NAME 163 -#define ERR_MAX 164 //number of error codes. Increment, if you add a new error code +#define ERR_MAX 165 //number of error codes. Increment, if you add a new error code #define ERROR_BUF_LENGTH 20 diff -uNr libdigidoc-3.6.0.0/libdigidoc/DigiDocSAXParser.c libdigidoc-3.6.0.0p/libdigidoc/DigiDocSAXParser.c --- libdigidoc-3.6.0.0/libdigidoc/DigiDocSAXParser.c 2012-07-02 08:57:22.000000000 +0300 +++ libdigidoc-3.6.0.0p/libdigidoc/DigiDocSAXParser.c 2013-08-28 19:18:20.440567740 +0300 @@ -327,6 +327,11 @@ free(p); p = 0; ddocDebug(4, "handleStartDataFile", "Filename in: \'%s\' out: \'%s\'", atts[i+1], (char*)mbuf1.pMem); + if(strchr((char*)mbuf1.pMem, '/') || strchr((char*)mbuf1.pMem, '\\')) { + ddocDebug(1, "handleStartDataFile", "Invalid filename: \'%s\'", (char*)mbuf1.pMem); + SET_LAST_ERROR(ERR_DF_NAME); + return; + } } if(!strcmp((const char*)atts[i], "MimeType")) mime = (const char*)atts[i+1];