/pidgin/main: a8aef1d340f2: Fix a bug where a remote MXit user c...
Mark Doliner
mark at kingant.net
Wed Feb 13 09:59:53 EST 2013
Changeset: a8aef1d340f2b2430321533cef87f5289968fa91
Author: Mark Doliner <mark at kingant.net>
Date: 2013-02-11 01:03 -0800
Branch: release-2.x.y
URL: http://hg.pidgin.im/pidgin/main/rev/a8aef1d340f2
Description:
Fix a bug where a remote MXit user could possibly specify a local
file path to be written to.
This is CVE-2013-0271.
The problem was reported to us by Chris Wysopal of Veracode.
diffstat:
ChangeLog | 2 ++
libpurple/protocols/mxit/formcmds.c | 14 ++++++++++++--
libpurple/protocols/mxit/splashscreen.c | 4 ++--
3 files changed, 16 insertions(+), 4 deletions(-)
diffs (63 lines):
diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,8 @@ version 2.10.7 (02/13/2013):
Barfield) (#15217)
MXit:
+ * Fix a bug where a remote MXit user could possibly specify a local
+ file path to be written to. (CVE-2013-0271)
* Display farewell messages in a different colour to distinguish
them from normal messages.
* Add support for typing notification.
diff --git a/libpurple/protocols/mxit/formcmds.c b/libpurple/protocols/mxit/formcmds.c
--- a/libpurple/protocols/mxit/formcmds.c
+++ b/libpurple/protocols/mxit/formcmds.c
@@ -405,19 +405,29 @@ static void command_imagestrip(struct MX
guchar* rawimg;
gsize rawimglen;
char* dir;
+ char* escfrom;
+ char* escname;
+ char* escvalidator;
char* filename;
/* base64 decode the image data */
rawimg = purple_base64_decode(tmp, &rawimglen);
/* save it to a file */
- dir = g_strdup_printf("%s/mxit/imagestrips", purple_user_dir());
+ dir = g_build_filename(purple_user_dir(), "mxit", "imagestrips", NULL);
purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR); /* ensure directory exists */
- filename = g_strdup_printf("%s/%s-%s-%s.png", dir, from, name, validator);
+ escfrom = g_strdup(purple_escape_filename(from));
+ escname = g_strdup(purple_escape_filename(name));
+ escvalidator = g_strdup(purple_escape_filename(validator));
+ filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s-%s-%s.png", dir, escfrom, escname, escvalidator);
+
purple_util_write_data_to_file_absolute(filename, (char*) rawimg, rawimglen);
g_free(dir);
+ g_free(escfrom);
+ g_free(escname);
+ g_free(escvalidator);
g_free(filename);
}
diff --git a/libpurple/protocols/mxit/splashscreen.c b/libpurple/protocols/mxit/splashscreen.c
--- a/libpurple/protocols/mxit/splashscreen.c
+++ b/libpurple/protocols/mxit/splashscreen.c
@@ -121,10 +121,10 @@ void splash_update(struct MXitSession* s
splash_remove(session);
/* Save the new splash image */
- dir = g_strdup_printf("%s/mxit", purple_user_dir());
+ dir = g_strdup_printf("%s" G_DIR_SEPARATOR_S "mxit", purple_user_dir());
purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR); /* ensure directory exists */
- filename = g_strdup_printf("%s/%s.png", dir, splashId);
+ filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s.png", dir, purple_escape_filename(splashId));
if (purple_util_write_data_to_file_absolute(filename, data, datalen)) {
/* Store new splash-screen ID to settings */
purple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, splashId);
More information about the Commits
mailing list