Security: don't pass a string to fgValidatePath then use the original

This is insecure because it always (not just on Windows) converts
\ to / before .. checking.  Either use the path it returns (as in
f_open()) or use an SGPath (where this conversion is already done)

Only a minor problem because the affected functions are limited to
the .sav file type

diff --git a/src/Main/fg_commands.cxx b/src/Main/fg_commands.cxx
index fa303dde4643bf1002c17c036ed9166d199f4385..442787662c1995a17f292dfe7ee8b873c964c89d 100644 (file)
--- a/src/Main/fg_commands.cxx
+++ b/src/Main/fg_commands.cxx
@@ -287,9 +287,10 @@ do_pause (const SGPropertyNode * arg)
 static bool
 do_load (const SGPropertyNode * arg)
 {
-    string file = arg->getStringValue("file", "fgfs.sav");
-    if (file.size() < 4 || file.substr(file.size() - 4) != ".sav")
-        file += ".sav";
+    SGPath file(arg->getStringValue("file", "fgfs.sav"));
+
+    if (file.extension() != "sav")
+        file.concat(".sav");
 
     if (fgValidatePath(file, false).empty()) {
         SG_LOG(SG_IO, SG_ALERT, "load: reading '" << file << "' denied "
@@ -318,9 +319,10 @@ do_load (const SGPropertyNode * arg)
 static bool
 do_save (const SGPropertyNode * arg)
 {
-    string file = arg->getStringValue("file", "fgfs.sav");
-    if (file.size() < 4 || file.substr(file.size() - 4) != ".sav")
-        file += ".sav";
+    SGPath file(arg->getStringValue("file", "fgfs.sav"));
+
+    if (file.extension() != "sav")
+        file.concat(".sav");
 
     if (fgValidatePath(file, false).empty()) {
         SG_LOG(SG_IO, SG_ALERT, "save: writing '" << file << "' denied "