[asterisk-dev] New manager action: CreateConfig
Tony Mountifield
tony at softins.clara.co.uk
Tue Feb 12 11:39:19 CST 2008
In article <47B1C301.70300 at digium.com>,
Jason Parker <jparker at digium.com> wrote:
> Michiel van Baak wrote:
> > On 16:16, Tue 12 Feb 08, Johansson Olle E wrote:
> >> What happens if I use an argument of "../rc.conf" or "../passwd" ?
> >>
> >> I suggest we filter file name arguments for ".." and "/" in the
> >> arguments of all these configuration actions.
> >>
> >> /O
> >
> > Please make that a regex like '^\.\.' and ^\/'
> > I use subdirs to store my configs so filtering on plain /
> > wont be nice for me
> >
>
> '^\.\.' is no good.
>
> "fakedir/../../badfile" ~= "../badfile"
>
> Only the latter would match that regex.
No need to use regexes - they don't catch symbolic links anyway.
$ man 3 realpath
Use realpath() to get the canonical pathname of the confdir+argument,
and then check that confdir is still a full prefix of the result.
Cheers
Tony
--
Tony Mountifield
Work: tony at softins.co.uk - http://www.softins.co.uk
Play: tony at mountifield.org - http://tony.mountifield.org
More information about the asterisk-dev
mailing list