new version: 2016.4.4

Bugfix: reject dubious paths in HTTP repos.
This avoids a malicious repository writing to files outside the local storage root. (cherry picked from commit a2b111bb09)
2016-12-28 13:57:44 +01:00 · 2016-12-22 16:59:45 +01:00 · 2016-12-05 13:28:25 +01:00 · 2016-11-29 15:44:19 +00:00 · 2016-11-22 09:38:58 +01:00
4 changed files with 28 additions and 3 deletions
--- a/simgear/io/HTTPRepository.cxx
+++ b/simgear/io/HTTPRepository.cxx
@@ -612,6 +612,14 @@ private:
                SG_LOG(SG_TERRASYNC, SG_WARN, "malformed .dirindex file: invalid type in line '" << line << "', expected 'd' or 'f', (ignoring line)" );
                continue;
            }
+
+            // security: prevent writing outside the repository via ../../.. filenames
+            // (valid filenames never contain / - subdirectories have their own .dirindex)
+            if ((tokens[1] == "..") || (tokens[1].find_first_of("/\\") != std::string::npos)) {
+                SG_LOG(SG_TERRASYNC, SG_WARN, "malformed .dirindex file: invalid filename in line '" << line << "', (ignoring line)" );
+                continue;
+            }
+
            children.push_back(ChildInfo(typeData == "f" ? ChildInfo::FileType : ChildInfo::DirectoryType, tokens[1], tokens[2]));

            if (tokens.size() > 3) {
--- a/simgear/package/CatalogTest.cxx
+++ b/simgear/package/CatalogTest.cxx
@@ -175,9 +175,14 @@ int parseTest()
      // expected
    }

+    unsigned int skisVariantFull = p2->indexOfVariant("org.flightgear.test.catalog1.c172p-skis");
+    VERIFY(skisVariantFull > 0);
+
    unsigned int skisVariant = p2->indexOfVariant("c172p-skis");
    VERIFY(skisVariant > 0);

+    COMPARE(skisVariant, skisVariantFull);
+
    pkg::Package::ThumbnailVec thumbs2 = p2->thumbnailsForVariant(skisVariant);
    COMPARE(thumbs2.size(), 2);

--- a/simgear/package/Package.cxx
+++ b/simgear/package/Package.cxx
@@ -340,13 +340,25 @@ std::string Package::nameForVariant(const std::string& vid) const

 unsigned int Package::indexOfVariant(const std::string& vid) const
 {
-    if (vid == id()) {
+    // accept fully-qualified IDs here
+    std::string actualId = vid;
+    size_t lastDot = vid.rfind('.');
+    if (lastDot != std::string::npos) {
+        std::string catalogId = vid.substr(0, lastDot);
+        if (catalogId != catalog()->id()) {
+            throw sg_exception("Bad fully-qualified ID:" + vid + ", package mismatch" );
+        }
+        actualId = vid.substr(lastDot + 1);
+    }
+
+
+    if (actualId == id()) {
        return 0;
    }

    unsigned int result = 1;
    for (SGPropertyNode* var : m_props->getChildren("variant")) {
-        if (var->getStringValue("id") == vid) {
+        if (var->getStringValue("id") == actualId) {
            return result;
        }

--- a/2
+++ b/2
@@ -1 +1 @@
-2016.4.1
+2016.4.4
Author	SHA1	Message	Date
Automatic Release Builder	235e38b69b	new version: 2016.4.4	2016-12-28 13:57:44 +01:00
James Turner	279b2c120f	Bugfix: reject dubious paths in HTTP repos. This avoids a malicious repository writing to files outside the local storage root. (cherry picked from commit `a2b111bb09`)	2016-12-22 16:59:45 +01:00
Automatic Release Builder	c92a953511	new version: 2016.4.3	2016-12-05 13:28:25 +01:00
James Turner	863ae19d1d	Package::indexOfvariant works on fully-qualified IDs. Should fix issues restoring variants in the launcher.	2016-11-29 15:44:19 +00:00
Automatic Release Builder	cd7b6d69b0	new version: 2016.4.2	2016-11-22 09:38:58 +01:00
@@ -1 +1 @@
 .4.1
 .4.4