]> git.mxchange.org Git - flightgear.git/commit
projects / flightgear.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 14b97ab) | patch
Security: don't pass a string to fgValidatePath then use the original
authorRebecca N. Palmer <rebecca_palmer@zoho.com>
Sun, 12 Jul 2015 16:49:21 +0000 (17:49 +0100)
committerRebecca N. Palmer <rebecca_palmer@zoho.com>
Sun, 12 Jul 2015 16:49:21 +0000 (17:49 +0100)
commit1199d6d626d0daaf402fa8aa4a1fdcab29c5b7b7
treec81a091cfbc9b0269200b7c62274b460a045b13ftree | snapshot
parent14b97abd8f6e19f134bbce96506caf717adfd678commit | diff
Security: don't pass a string to fgValidatePath then use the original

This is insecure because it always (not just on Windows) converts
\ to / before .. checking.  Either use the path it returns (as in
f_open()) or use an SGPath (where this conversion is already done)

Only a minor problem because the affected functions are limited to
the .sav file type
src/Main/fg_commands.cxx diff | blob | history
Personal clone of the FlightGear source code, the free-libre OpenSource flight simulator.