Merge pull request #340 from AttorneyOnline/path-traversal

Prevent path from escaping base.

Truly the end of an era.
Alexa, play ../../../../../../../../Users/Public/Music/Sample Music/Kalimba.mp3

1 files changed, 11 insertions, 39 deletions

diff --git a/src/path_functions.cpp b/src/path_functions.cpp
index 10c8ae53..b1d79762 100644
--- a/src/path_functions.cpp
+++ b/src/path_functions.cpp
@@ -44,61 +44,37 @@ QString AOApplication::get_data_path() { return get_base_path() + "data/"; }
 QString AOApplication::get_default_theme_path(QString p_file)
 {
   QString path = get_base_path() + "themes/default/" + p_file;
-#ifndef CASE_SENSITIVE_FILESYSTEM
-  return path;
-#else
   return get_case_sensitive_path(path);
-#endif
 }
 
 QString AOApplication::get_custom_theme_path(QString p_theme, QString p_file)
 {
   QString path = get_base_path() + "themes/" + p_theme + "/" + p_file;
-#ifndef CASE_SENSITIVE_FILESYSTEM
-  return path;
-#else
   return get_case_sensitive_path(path);
-#endif
 }
 
 QString AOApplication::get_theme_path(QString p_file)
 {
   QString path = get_base_path() + "themes/" + current_theme + "/" + p_file;
-#ifndef CASE_SENSITIVE_FILESYSTEM
-  return path;
-#else
   return get_case_sensitive_path(path);
-#endif
 }
 
 QString AOApplication::get_character_path(QString p_char, QString p_file)
 {
   QString path = get_base_path() + "characters/" + p_char + "/" + p_file;
-#ifndef CASE_SENSITIVE_FILESYSTEM
-  return path;
-#else
   return get_case_sensitive_path(path);
-#endif
 }
 
 QString AOApplication::get_sounds_path(QString p_file)
 {
   QString path = get_base_path() + "sounds/general/" + p_file;
-#ifndef CASE_SENSITIVE_FILESYSTEM
-  return path;
-#else
   return get_case_sensitive_path(path);
-#endif
 }
 
 QString AOApplication::get_music_path(QString p_song)
 {
   QString path = get_base_path() + "sounds/music/" + p_song;
-#ifndef CASE_SENSITIVE_FILESYSTEM
-  return path;
-#else
   return get_case_sensitive_path(path);
-#endif
 }
 
 QString AOApplication::get_background_path(QString p_file)
@@ -106,11 +82,7 @@ QString AOApplication::get_background_path(QString p_file)
   QString path = get_base_path() + "background/" +
                  w_courtroom->get_current_background() + "/" + p_file;
   if (courtroom_constructed) {
-#ifndef CASE_SENSITIVE_FILESYSTEM
-    return path;
-#else
     return get_case_sensitive_path(path);
-#endif
   }
   return get_default_background_path(p_file);
 }
@@ -118,33 +90,30 @@ QString AOApplication::get_background_path(QString p_file)
 QString AOApplication::get_default_background_path(QString p_file)
 {
   QString path = get_base_path() + "background/default/" + p_file;
-#ifndef CASE_SENSITIVE_FILESYSTEM
-  return path;
-#else
   return get_case_sensitive_path(path);
-#endif
 }
 
 QString AOApplication::get_evidence_path(QString p_file)
 {
   QString path = get_base_path() + "evidence/" + p_file;
-#ifndef CASE_SENSITIVE_FILESYSTEM
-  return path;
-#else
   return get_case_sensitive_path(path);
-#endif
 }
 
 QString AOApplication::get_case_sensitive_path(QString p_file)
 {
+  QFileInfo file(p_file);
+  QString file_basename = file.fileName();
+
+  // no path traversal above base folder
+  if (!(file.absolutePath().startsWith(get_base_path())))
+      return get_base_path() + file_basename;
+
+  #ifdef CASE_SENSITIVE_FILESYSTEM
   // first, check to see if it's actually there (also serves as base case for
   // recursion)
   if (exists(p_file))
     return p_file;
 
-  QFileInfo file(p_file);
-
-  QString file_basename = file.fileName();
   QString file_parent_dir = get_case_sensitive_path(file.absolutePath());
 
   // second, does it exist in the new parent dir?
@@ -163,4 +132,7 @@ QString AOApplication::get_case_sensitive_path(QString p_file)
 
   // if nothing is found, let the caller handle the missing file
   return file_parent_dir + "/" + file_basename;
+#else
+  return p_file;
+#endif
 }