/pidgin/main: a8aef1d340f2: Fix a bug where a remote MXit user c...

[Mark Doliner]

Changeset: a8aef1d340f2b2430321533cef87f5289968fa91
Author:	 Mark Doliner <mark at kingant.net>
Date:	 2013-02-11 01:03 -0800
Branch:	 release-2.x.y
URL: http://hg.pidgin.im/pidgin/main/rev/a8aef1d340f2

Description:

Fix a bug where a remote MXit user could possibly specify a local
file path to be written to.

This is CVE-2013-0271.

The problem was reported to us by Chris Wysopal of Veracode.

diffstat:

 ChangeLog                               |   2 ++
 libpurple/protocols/mxit/formcmds.c     |  14 ++++++++++++--
 libpurple/protocols/mxit/splashscreen.c |   4 ++--
 3 files changed, 16 insertions(+), 4 deletions(-)

diffs (63 lines):

diff --git a/ChangeLog b/ChangeLog
--- a/ChangeLog
+++ b/ChangeLog
@@ -37,6 +37,8 @@ version 2.10.7 (02/13/2013):
 	  Barfield) (#15217)
 
 	MXit:
+	* Fix a bug where a remote MXit user could possibly specify a local
+	  file path to be written to. (CVE-2013-0271)
 	* Display farewell messages in a different colour to distinguish
 	  them from normal messages.
 	* Add support for typing notification.
diff --git a/libpurple/protocols/mxit/formcmds.c b/libpurple/protocols/mxit/formcmds.c
--- a/libpurple/protocols/mxit/formcmds.c
+++ b/libpurple/protocols/mxit/formcmds.c
@@ -405,19 +405,29 @@ static void command_imagestrip(struct MX
 		guchar*		rawimg;
 		gsize		rawimglen;
 		char*		dir;
+		char*		escfrom;
+		char*		escname;
+		char*		escvalidator;
 		char*		filename;
 
 		/* base64 decode the image data */
 		rawimg = purple_base64_decode(tmp, &rawimglen);
 
 		/* save it to a file */
-		dir = g_strdup_printf("%s/mxit/imagestrips", purple_user_dir());
+		dir = g_build_filename(purple_user_dir(), "mxit", "imagestrips", NULL);
 		purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR);		/* ensure directory exists */
 
-		filename = g_strdup_printf("%s/%s-%s-%s.png", dir, from, name, validator);
+		escfrom = g_strdup(purple_escape_filename(from));
+		escname = g_strdup(purple_escape_filename(name));
+		escvalidator = g_strdup(purple_escape_filename(validator));
+		filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s-%s-%s.png", dir, escfrom, escname, escvalidator);
+
 		purple_util_write_data_to_file_absolute(filename, (char*) rawimg, rawimglen);
 
 		g_free(dir);
+		g_free(escfrom);
+		g_free(escname);
+		g_free(escvalidator);
 		g_free(filename);
 	}
 
diff --git a/libpurple/protocols/mxit/splashscreen.c b/libpurple/protocols/mxit/splashscreen.c
--- a/libpurple/protocols/mxit/splashscreen.c
+++ b/libpurple/protocols/mxit/splashscreen.c
@@ -121,10 +121,10 @@ void splash_update(struct MXitSession* s
 	splash_remove(session);
 
 	/* Save the new splash image */
-	dir = g_strdup_printf("%s/mxit",  purple_user_dir());
+	dir = g_strdup_printf("%s" G_DIR_SEPARATOR_S "mxit",  purple_user_dir());
 	purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR);		/* ensure directory exists */
 
-	filename = g_strdup_printf("%s/%s.png", dir, splashId);
+	filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s.png", dir, purple_escape_filename(splashId));
 	if (purple_util_write_data_to_file_absolute(filename, data, datalen)) {
 		/* Store new splash-screen ID to settings */
 		purple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, splashId);