From: Rebecca N. Palmer <rebecca_palmer@zoho.com>
Date: Sun, 12 Jul 2015 16:49:21 +0000 (+0100)
Subject: Security: don't pass a string to fgValidatePath then use the original
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=1199d6d626d0daaf402fa8aa4a1fdcab29c5b7b7;p=flightgear.git

Security: don't pass a string to fgValidatePath then use the original

This is insecure because it always (not just on Windows) converts
\ to / before .. checking.  Either use the path it returns (as in
f_open()) or use an SGPath (where this conversion is already done)

Only a minor problem because the affected functions are limited to
the .sav file type
---

diff --git a/src/Main/fg_commands.cxx b/src/Main/fg_commands.cxx
index fa303dde4..442787662 100644
--- a/src/Main/fg_commands.cxx
+++ b/src/Main/fg_commands.cxx
@@ -287,9 +287,10 @@ do_pause (const SGPropertyNode * arg)
 static bool
 do_load (const SGPropertyNode * arg)
 {
-    string file = arg->getStringValue("file", "fgfs.sav");
-    if (file.size() < 4 || file.substr(file.size() - 4) != ".sav")
-        file += ".sav";
+    SGPath file(arg->getStringValue("file", "fgfs.sav"));
+
+    if (file.extension() != "sav")
+        file.concat(".sav");
 
     if (fgValidatePath(file, false).empty()) {
         SG_LOG(SG_IO, SG_ALERT, "load: reading '" << file << "' denied "
@@ -318,9 +319,10 @@ do_load (const SGPropertyNode * arg)
 static bool
 do_save (const SGPropertyNode * arg)
 {
-    string file = arg->getStringValue("file", "fgfs.sav");
-    if (file.size() < 4 || file.substr(file.size() - 4) != ".sav")
-        file += ".sav";
+    SGPath file(arg->getStringValue("file", "fgfs.sav"));
+
+    if (file.extension() != "sav")
+        file.concat(".sav");
 
     if (fgValidatePath(file, false).empty()) {
         SG_LOG(SG_IO, SG_ALERT, "save: writing '" << file << "' denied "