[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, st
|
From: |
Matthew White |
|
Subject: |
Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary |
|
Date: |
Tue, 13 Sep 2016 05:13:10 +0200 |
On Mon, 12 Sep 2016 21:20:54 +0200
Tim Rühsen <address@hidden> wrote:
> On Montag, 12. September 2016 20:18:30 CEST Eli Zaretskii wrote:
> > > From: Tim Ruehsen <address@hidden>
> > > Date: Mon, 12 Sep 2016 13:00:32 +0200
> > >
> > > > + char *basename = name;
> > > > +
> > > > + while ((name = strstr (basename, "/")))
> > > > + basename = name + 1;
> > >
> > > Could you use strrchr() ? something like
> > >
> > > char *basename = strrchr (name, '/');
> > >
> > > if (basename)
> > >
> > > basename += 1;
> > >
> > > else
> > >
> > > basename = name;
> >
> > I think we want to use ISSEP, no? Otherwise Windows file names with
> > backslashes will misfire.
>
> Good point. What about device names ?
>
> So maybe base_name() from Gnulib module 'dirname' is the right choice !?
> See https://www.gnu.org/software/gnulib/manual/html_node/basename.html
What if Gnulib's base_name() returns "./<basename>"?
libmetalink's metalink_check_safe_path() rejects relative paths:
https://tools.ietf.org/html/rfc5854#section-4.1.2.1
Also, basename is used to point to an existing memory location, base_name()
instead allocates new space. This is not a biggy, but we should keep it in mind
to amend properly.
lib/basename.c (base_name)
--------------------------
/* On systems with drive letters, "a/b:c" must return "./b:c" rather
than "b:c" to avoid confusion with a drive letter. On systems
with pure POSIX semantics, this is not an issue. */
--------------------------
Suggestions?
>
> Regards, Tim
Regards,
Matthew
--
Matthew White <address@hidden>
pgpXg3r3j4U5u.pgp
Description: PGP signature
- [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary, Matthew White, 2016/09/10
- Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary, Tim Ruehsen, 2016/09/12
- Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary, Eli Zaretskii, 2016/09/12
- Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary, Tim Rühsen, 2016/09/12
- Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary,
Matthew White <=
- Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary, Tim Ruehsen, 2016/09/13
- Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary, Matthew White, 2016/09/13
- Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary, Tim Ruehsen, 2016/09/13
- Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary, Matthew White, 2016/09/13
- Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary, Matthew White, 2016/09/12
Re: [Bug-wget] [PATCH 09/25] Enforce Metalink file name verification, strip directory if necessary, Matthew White, 2016/09/12