blob: d41b4f9c56f8ae7ee09a6eec29403f764183176b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
commit 4ff38aa15487d69021aacad4b078500f77fb4ae8
Author: Albert Astals Cid <aacid@kde.org>
Date: Mon Feb 27 19:03:49 2017 +0100
Fix Directory Traversal problem in ktnef
Reported by Eric Sesterhenn
Patch reviewed by Laurent Montel
CCMAIL: eric.sesterhenn@x41-dsec.de
diff --git a/src/ktnefparser.cpp b/src/ktnefparser.cpp
index ce40e40..0678003 100644
--- a/src/ktnefparser.cpp
+++ b/src/ktnefparser.cpp
@@ -41,7 +41,9 @@
#include <QtCore/QDateTime>
#include <QtCore/QDataStream>
+#include <QtCore/QDir>
#include <QtCore/QFile>
+#include <QtCore/QFileInfo>
#include <QtCore/QVariant>
#include <QtCore/QList>
@@ -446,7 +448,9 @@ bool KTNEFParser::extractFile(const QString &filename) const
bool KTNEFParser::ParserPrivate::extractAttachmentTo(KTNEFAttach *att,
const QString &dirname)
{
- QString filename = dirname + QLatin1Char('/');
+ const QString destDir(QDir(dirname).absolutePath()); // get directory path without any "." or ".."
+
+ QString filename = destDir + QLatin1Char('/');
if (!att->fileName().isEmpty()) {
filename += att->fileName();
} else {
@@ -462,6 +466,15 @@ bool KTNEFParser::ParserPrivate::extractAttachmentTo(KTNEFAttach *att,
if (!device_->seek(att->offset())) {
return false;
}
+
+ const QFileInfo fi(filename);
+ if (!fi.absoluteFilePath().startsWith(destDir)) {
+ qWarning() << "Attempted extract into" << fi.absoluteFilePath()
+ << "which is outside of the extraction root folder" << destDir << "."
+ << "Changing export of contained files to extraction root folder.";
+ filename = destDir + QLatin1Char('/') + fi.fileName();
+ }
+
QSaveFile outfile(filename);
if (!outfile.open(QIODevice::WriteOnly)) {
return false;
|