Fixed potential vulnerability in server

ref #623
2017-10-09 21:47:15 +02:00 · 2017-10-09 21:47:15 +02:00 · 15b01116bf
parent 60978e2ec4
commit 15b01116bf
2 changed files with 9 additions and 0 deletions
--- a/Server/Core/Commands/CommandHandler.cs
+++ b/Server/Core/Commands/CommandHandler.cs
@ -7,6 +7,7 @@ public static partial class CommandHandler
    {
        public static Dictionary<int, string> CanceledDownloads = new Dictionary<int, string>();
        public static Dictionary<int, string> RenamedFiles = new Dictionary<int, string>();
+        private static readonly char[] DISALLOWED_FILENAME_CHARS = { '/', '\\' };
        private const string DELIMITER = "$E$";
    }
 }
--- a/Server/Core/Commands/MiscHandler.cs
+++ b/Server/Core/Commands/MiscHandler.cs
@ -26,6 +26,14 @@ public static void HandleDoDownloadFileResponse(Client client, DoDownloadFileRes
            if (CanceledDownloads.ContainsKey(packet.ID) || string.IsNullOrEmpty(packet.Filename))
                return;

+            // don't escape from download directory
+            if (packet.Filename.IndexOfAny(DISALLOWED_FILENAME_CHARS) >= 0 || Path.IsPathRooted(packet.Filename))
+            {
+                // disconnect malicious client
+                client.Disconnect();
+                return;
+            }
+
            if (!Directory.Exists(client.Value.DownloadDirectory))
                Directory.CreateDirectory(client.Value.DownloadDirectory);