diff options
| author | Boris Kolpackov <boris@codesynthesis.com> | 2015-10-13 18:17:34 +0200 |
|---|---|---|
| committer | Boris Kolpackov <boris@codesynthesis.com> | 2015-10-14 15:13:38 +0200 |
| commit | 5f21e03ff813d9ef2b1d7c2a91f563faf6ae8572 (patch) | |
| tree | 96178354a6f3e95c33714e6c5e78dacc1a63e188 | |
| parent | a5cc1656274d1978a85dd0abafc46c21b7f851d0 (diff) | |
Normalize and check file and URL paths in fetch operations
| -rw-r--r-- | bpkg/fetch.cxx | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/bpkg/fetch.cxx b/bpkg/fetch.cxx index 2ccda2c..494b63d 100644 --- a/bpkg/fetch.cxx +++ b/bpkg/fetch.cxx @@ -467,7 +467,10 @@ namespace bpkg static string to_url (const string& host, uint16_t port, const path& file) { - assert (file.relative ()); + assert (!file.empty () && file.relative ()); + + if (*file.begin () == "..") + fail << "invalid URL path " << file; string url ("http://"); url += host; @@ -476,6 +479,7 @@ namespace bpkg url += ":" + to_string (port); url += "/" + file.posix_string (); + return url; } @@ -681,6 +685,15 @@ namespace bpkg path f (rl.path () / a); + try + { + f.normalize (); + } + catch (const invalid_path&) + { + fail << "invalid archive location " << rl << "/" << f; + } + return rl.remote () ? fetch_file (o, rl.host (), rl.port (), f, d) : fetch_file (f, d); |