Fix a bug where a remote MXit user could possibly specify a local release-2.x.y
authorMark Doliner <mark@kingant.net>
Mon, 11 Feb 2013 01:03:34 -0800
branchrelease-2.x.y
changeseta8aef1d340f2 pushlog
parent d1aa818fd0fc
child 879db2a9a59c
Fix a bug where a remote MXit user could possibly specify a local
file path to be written to.

This is CVE-2013-0271.

The problem was reported to us by Chris Wysopal of Veracode.
ChangeLog
libpurple/protocols/mxit/formcmds.c
libpurple/protocols/mxit/splashscreen.c
      1.1 --- a/ChangeLog
      1.2 +++ b/ChangeLog
      1.3 @@ -37,6 +37,8 @@
      1.4  	  Barfield) (#15217)
      1.5  
      1.6  	MXit:
      1.7 +	* Fix a bug where a remote MXit user could possibly specify a local
      1.8 +	  file path to be written to. (CVE-2013-0271)
      1.9  	* Display farewell messages in a different colour to distinguish
     1.10  	  them from normal messages.
     1.11  	* Add support for typing notification.
      2.1 --- a/libpurple/protocols/mxit/formcmds.c
      2.2 +++ b/libpurple/protocols/mxit/formcmds.c
      2.3 @@ -405,19 +405,29 @@
      2.4  		guchar*		rawimg;
      2.5  		gsize		rawimglen;
      2.6  		char*		dir;
      2.7 +		char*		escfrom;
      2.8 +		char*		escname;
      2.9 +		char*		escvalidator;
     2.10  		char*		filename;
     2.11  
     2.12  		/* base64 decode the image data */
     2.13  		rawimg = purple_base64_decode(tmp, &rawimglen);
     2.14  
     2.15  		/* save it to a file */
     2.16 -		dir = g_strdup_printf("%s/mxit/imagestrips", purple_user_dir());
     2.17 +		dir = g_build_filename(purple_user_dir(), "mxit", "imagestrips", NULL);
     2.18  		purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR);		/* ensure directory exists */
     2.19  
     2.20 -		filename = g_strdup_printf("%s/%s-%s-%s.png", dir, from, name, validator);
     2.21 +		escfrom = g_strdup(purple_escape_filename(from));
     2.22 +		escname = g_strdup(purple_escape_filename(name));
     2.23 +		escvalidator = g_strdup(purple_escape_filename(validator));
     2.24 +		filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s-%s-%s.png", dir, escfrom, escname, escvalidator);
     2.25 +
     2.26  		purple_util_write_data_to_file_absolute(filename, (char*) rawimg, rawimglen);
     2.27  
     2.28  		g_free(dir);
     2.29 +		g_free(escfrom);
     2.30 +		g_free(escname);
     2.31 +		g_free(escvalidator);
     2.32  		g_free(filename);
     2.33  	}
     2.34  
      3.1 --- a/libpurple/protocols/mxit/splashscreen.c
      3.2 +++ b/libpurple/protocols/mxit/splashscreen.c
      3.3 @@ -121,10 +121,10 @@
      3.4  	splash_remove(session);
      3.5  
      3.6  	/* Save the new splash image */
      3.7 -	dir = g_strdup_printf("%s/mxit",  purple_user_dir());
      3.8 +	dir = g_strdup_printf("%s" G_DIR_SEPARATOR_S "mxit",  purple_user_dir());
      3.9  	purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR);		/* ensure directory exists */
     3.10  
     3.11 -	filename = g_strdup_printf("%s/%s.png", dir, splashId);
     3.12 +	filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s.png", dir, purple_escape_filename(splashId));
     3.13  	if (purple_util_write_data_to_file_absolute(filename, data, datalen)) {
     3.14  		/* Store new splash-screen ID to settings */
     3.15  		purple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, splashId);