Version: 2.1.2 (using KDE KDE 3.5.6) Installed from: Gentoo Packages Compiler: gcc-4.1.2 OS: Linux From Matt Drew (aetius@gentoo.org): "The directory traversal fix is incomplete. Cases such as '../' being inserted into a bnode string in the path sequence will pass the filter they put in place (which only checks if each string node is == ".."). I've verified this against 2.1.2 in the tree. There's a pretty large number of cases that need to be checked - my suggestion would be a "whitelist" of allowed characters in the strings that specify paths."
Downstream: https://bugs.gentoo.org/show_bug.cgi?id=170303
You are right, but other then .. in a path, I don't think you can get outside of the user specified directories. We always prepend the user selected location before the path, so even if it starts with / it will not be a problem.
SVN commit 648419 by guisson: Fix directory traversal bug by making sure that path entries with .. and / in them are not allowed. BUG: 143637 M +2 -2 torrent.cpp --- trunk/extragear/network/ktorrent/libktorrent/torrent/torrent.cpp #648418:648419 @@ -164,9 +164,9 @@ throw Error(i18n("Corrupted torrent!")); QString sd = v->data().toString(encoding); - // check for weirdness like .. , + // check for weirdness like .. and / , // we don't want to write outside the user specified directories - if (sd != "..") + if (!sd.contains("/") && !sd.contains("..")) { path += sd; if (j + 1 < ln->getNumChildren())
Thank you. We'll add your patch downstream asap! :)
There will be a new release tomorrow (we already had this planned), this will also contain the fix.
In our CVS. Thanks for the release!