Fix a bug where a remote MXit user could possibly specify a local release-2.x.y
authorMark Doliner <mark@kingant.net>
Mon, 11 Feb 2013 01:03:34 -0800
branchrelease-2.x.y
changeseta8aef1d340f2 pushlog
parent d1aa818fd0fc
child 879db2a9a59c
Fix a bug where a remote MXit user could possibly specify a local
file path to be written to.

This is CVE-2013-0271.

The problem was reported to us by Chris Wysopal of Veracode.
ChangeLog
libpurple/protocols/mxit/formcmds.c
libpurple/protocols/mxit/splashscreen.c
     1.1 --- a/ChangeLog
     1.2 +++ b/ChangeLog
     1.3 @@ -37,6 +37,8 @@
     1.4  	  Barfield) (#15217)
     1.5  
     1.6  	MXit:
     1.7 +	* Fix a bug where a remote MXit user could possibly specify a local
     1.8 +	  file path to be written to. (CVE-2013-0271)
     1.9  	* Display farewell messages in a different colour to distinguish
    1.10  	  them from normal messages.
    1.11  	* Add support for typing notification.
     2.1 --- a/libpurple/protocols/mxit/formcmds.c
     2.2 +++ b/libpurple/protocols/mxit/formcmds.c
     2.3 @@ -405,19 +405,29 @@
     2.4  		guchar*		rawimg;
     2.5  		gsize		rawimglen;
     2.6  		char*		dir;
     2.7 +		char*		escfrom;
     2.8 +		char*		escname;
     2.9 +		char*		escvalidator;
    2.10  		char*		filename;
    2.11  
    2.12  		/* base64 decode the image data */
    2.13  		rawimg = purple_base64_decode(tmp, &rawimglen);
    2.14  
    2.15  		/* save it to a file */
    2.16 -		dir = g_strdup_printf("%s/mxit/imagestrips", purple_user_dir());
    2.17 +		dir = g_build_filename(purple_user_dir(), "mxit", "imagestrips", NULL);
    2.18  		purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR);		/* ensure directory exists */
    2.19  
    2.20 -		filename = g_strdup_printf("%s/%s-%s-%s.png", dir, from, name, validator);
    2.21 +		escfrom = g_strdup(purple_escape_filename(from));
    2.22 +		escname = g_strdup(purple_escape_filename(name));
    2.23 +		escvalidator = g_strdup(purple_escape_filename(validator));
    2.24 +		filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s-%s-%s.png", dir, escfrom, escname, escvalidator);
    2.25 +
    2.26  		purple_util_write_data_to_file_absolute(filename, (char*) rawimg, rawimglen);
    2.27  
    2.28  		g_free(dir);
    2.29 +		g_free(escfrom);
    2.30 +		g_free(escname);
    2.31 +		g_free(escvalidator);
    2.32  		g_free(filename);
    2.33  	}
    2.34  
     3.1 --- a/libpurple/protocols/mxit/splashscreen.c
     3.2 +++ b/libpurple/protocols/mxit/splashscreen.c
     3.3 @@ -121,10 +121,10 @@
     3.4  	splash_remove(session);
     3.5  
     3.6  	/* Save the new splash image */
     3.7 -	dir = g_strdup_printf("%s/mxit",  purple_user_dir());
     3.8 +	dir = g_strdup_printf("%s" G_DIR_SEPARATOR_S "mxit",  purple_user_dir());
     3.9  	purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR);		/* ensure directory exists */
    3.10  
    3.11 -	filename = g_strdup_printf("%s/%s.png", dir, splashId);
    3.12 +	filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s.png", dir, purple_escape_filename(splashId));
    3.13  	if (purple_util_write_data_to_file_absolute(filename, data, datalen)) {
    3.14  		/* Store new splash-screen ID to settings */
    3.15  		purple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, splashId);