Use str_find from src/base/system.h and check for C: on Windows

Previously, using drive-relative paths could be used to escape the Teeworlds directory on Windows.
2024-11-19 06:28:19 +00:00 · 2017-06-18 16:26:29 +02:00 · 2017-06-18 16:26:29 +02:00 · 1a50d405cb
parent 59b33b95e4
commit 1a50d405cb
1 changed files with 5 additions and 2 deletions
--- a/src/engine/shared/storage.cpp
+++ b/src/engine/shared/storage.cpp
@ -3,7 +3,6 @@
 #include <base/system.h>
 #include <engine/storage.h>
 #include "linereader.h"
-#include <string.h>

 // compiled-in data-dir path
 #define DATA_DIR "data"
@ -281,7 +280,11 @@ public:
 			BufferSize = sizeof(aBuffer);
 		}

-		if(pFilename[0] == '/' || pFilename[0] == '\\' || strstr(pFilename, "../") != NULL || strstr(pFilename, "..\\") != NULL)
+		if(pFilename[0] == '/' || pFilename[0] == '\\' || str_find(pFilename, "../") != NULL || str_find(pFilename, "..\\") != NULL
+		#ifdef CONF_FAMILY_WINDOWS
+			|| (pFilename[0] && pFilename[1] == ':')
+		#endif
+		)
 		{
 			// don't escape base directory
 		}