[SERVER] Disallow images starting with "." now that we allow load-on-demand

This will prevent hidden files from being exported to clients and also prevents directory traversal attacks ( ../../image.img )
author: Simon Rettberg 2015-12-14 09:21:09 +0100
committer: Simon Rettberg 2015-12-14 09:21:09 +0100
commit: 08c1842379c6a11f3b52fafcfa3bc47748e3cde8 (patch)
tree: 5136ab51dfb0cfdb742824ec24aeb6e1152c0011
parent: [SERVER] Support looking on disk if an unknown image is requested (diff)
download: dnbd3-08c1842379c6a11f3b52fafcfa3bc47748e3cde8.tar.gz
dnbd3-08c1842379c6a11f3b52fafcfa3bc47748e3cde8.tar.xz
dnbd3-08c1842379c6a11f3b52fafcfa3bc47748e3cde8.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/src/server/image.c b/src/server/image.c
index b046af5..fb3f8ba 100644
--- a/src/server/image.c
+++ b/src/server/image.c
@@ -917,7 +917,8 @@ dnbd3_image_t* image_getOrLoad(char * const name, const uint16_t revision)
 	if ( !_isProxy && revision != 0 ) return image_get( name, revision, true );
 	const size_t len = strlen( name );
 	// Sanity check
-	if ( len == 0 || name[len - 1] == '/' || name[0] == '/' ) return NULL;
+	if ( len == 0 || name[len - 1] == '/' || name[0] == '/'
+			|| name[0] == '.' || strstr( name, "/." ) != NULL ) return NULL;
 	// Call specific function depending on whether this is a proxy or not
 	if ( _isProxy ) {
 		return loadImageProxy( name, revision, len );
author	Simon Rettberg	2015-12-14 09:21:09 +0100
committer	Simon Rettberg	2015-12-14 09:21:09 +0100
commit	08c1842379c6a11f3b52fafcfa3bc47748e3cde8 (patch)
tree	5136ab51dfb0cfdb742824ec24aeb6e1152c0011
parent	[SERVER] Support looking on disk if an unknown image is requested (diff)
download	dnbd3-08c1842379c6a11f3b52fafcfa3bc47748e3cde8.tar.gz dnbd3-08c1842379c6a11f3b52fafcfa3bc47748e3cde8.tar.xz dnbd3-08c1842379c6a11f3b52fafcfa3bc47748e3cde8.zip