source/xap/rdesktop/rdesktop.CVE-2011-1595.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

--- ./disk.c.orig	2008-02-15 18:13:25.000000000 -0600
+++ ./disk.c	2011-04-20 20:27:55.978000772 -0500
@@ -356,6 +356,19 @@
 		filename[strlen(filename) - 1] = 0;
 	sprintf(path, "%s%s", g_rdpdr_device[device_id].local_path, filename);
 
+        /* Protect against mailicous servers:
+           somelongpath/..     not allowed
+           somelongpath/../b   not allowed
+           somelongpath/..b    in principle ok, but currently not allowed
+           somelongpath/b..    ok
+           somelongpath/b..b   ok
+           somelongpath/b../c  ok
+         */
+        if (strstr(path, "/.."))
+        {
+                return RD_STATUS_ACCESS_DENIED;
+        }
+
 	switch (create_disposition)
 	{
 		case CREATE_ALWAYS: