From 08c1842379c6a11f3b52fafcfa3bc47748e3cde8 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Mon, 14 Dec 2015 09:21:09 +0100
Subject: [SERVER] Disallow images starting with "." now that we allow
 load-on-demand

This will prevent hidden files from being exported to clients and also
prevents directory traversal attacks ( ../../image.img )
---
 src/server/image.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/server/image.c b/src/server/image.c
index b046af5..fb3f8ba 100644
--- a/src/server/image.c
+++ b/src/server/image.c
@@ -917,7 +917,8 @@ dnbd3_image_t* image_getOrLoad(char * const name, const uint16_t revision)
 	if ( !_isProxy && revision != 0 ) return image_get( name, revision, true );
 	const size_t len = strlen( name );
 	// Sanity check
-	if ( len == 0 || name[len - 1] == '/' || name[0] == '/' ) return NULL;
+	if ( len == 0 || name[len - 1] == '/' || name[0] == '/'
+			|| name[0] == '.' || strstr( name, "/." ) != NULL ) return NULL;
 	// Call specific function depending on whether this is a proxy or not
 	if ( _isProxy ) {
 		return loadImageProxy( name, revision, len );
-- 
cgit v1.2.3-55-g7522