Sophie

Sophie

distrib > Mageia > 8 > x86_64 > by-pkgid > 8d81d00fc7700f72d4f6438af6742db2 > files > 1

dino-0.2.0-1.1.mga8.src.rpm

From 1eaad1ccfbd00c6e76650535496531c172453994 Mon Sep 17 00:00:00 2001
From: fiaxh <git@lightrise.org>
Date: Mon, 7 Jun 2021 09:56:25 -0600
Subject: [PATCH] Fix file traversal issue on incoming file transfers

Fixes CVE-2021-33896
---
 libdino/src/entity/file_transfer.vala | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/libdino/src/entity/file_transfer.vala b/libdino/src/entity/file_transfer.vala
index a8e386bfd..1823478fe 100644
--- a/libdino/src/entity/file_transfer.vala
+++ b/libdino/src/entity/file_transfer.vala
@@ -45,7 +45,18 @@ public class FileTransfer : Object {
         }
     }
 
-    public string file_name { get; set; }
+    private string file_name_;
+    public string file_name {
+        get { return file_name_; }
+        set {
+            file_name_ = Path.get_basename(value);
+            if (file_name_ == Path.DIR_SEPARATOR_S || file_name_ == ".") {
+                file_name_ = "unknown filename";
+            } else if (file_name_.has_prefix(".")) {
+                file_name_ = "_" + file_name_;
+            }
+        }
+    }
     private string? server_file_name_ = null;
     public string server_file_name {
         get { return server_file_name_ ?? file_name; }

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional