diff options
Diffstat (limited to 'code/qcommon/files.c')
| -rw-r--r-- | code/qcommon/files.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/code/qcommon/files.c b/code/qcommon/files.c index 7411905..af5518b 100644 --- a/code/qcommon/files.c +++ b/code/qcommon/files.c @@ -2570,6 +2570,23 @@ qboolean FS_idPak( char *pak, char *base ) { /* ================ +FS_idPak + +Check whether the string contains stuff like "../" to prevent directory traversal bugs +and return qtrue if it does. +================ +*/ + +qboolean FS_CheckDirTraversal(const char *checkdir) +{ + if(strstr(checkdir, "../") || strstr(checkdir, "..\\")) + return qtrue; + + return qfalse; +} + +/* +================ FS_ComparePaks ---------------- @@ -2617,7 +2634,7 @@ qboolean FS_ComparePaks( char *neededpaks, int len, qboolean dlstring ) { } // Make sure the server cannot make us write to non-quake3 directories. - if(strstr(fs_serverReferencedPakNames[i], "../") || strstr(fs_serverReferencedPakNames[i], "..\\")) + if(FS_CheckDirTraversal(fs_serverReferencedPakNames[i])) { Com_Printf("WARNING: Invalid download name %s\n", fs_serverReferencedPakNames[i]); continue; |