Skip to content

Commit 1261f74

Browse files
committed
Fix a possible security issue
- script output might have been stored to paths elsewhere - Thanks to G.C. for reporting
1 parent 2a2f8a1 commit 1261f74

File tree

2 files changed

+8
-7
lines changed

2 files changed

+8
-7
lines changed

Diff for: src/scripting/StelScriptOutput.cpp

+6-6
Original file line numberDiff line numberDiff line change
@@ -56,15 +56,15 @@ void StelScriptOutput::reset(void)
5656
void StelScriptOutput::saveOutputAs(const QString &name)
5757
{
5858
QFile asFile;
59-
QFileInfo outputInfo(outputFile);
60-
QDir dir=outputInfo.dir(); // will hold complete dirname
61-
QFileInfo newFileNameInfo(name);
59+
const QFileInfo outputInfo(outputFile);
60+
const QDir dir=outputInfo.dir(); // will hold complete dirname
61+
const QFileInfo newFileNameInfo(name);
6262

63-
bool okToSaveToAbsolutePath=StelApp::getInstance().getSettings()->value("scripts/flag_script_allow_write_absolute_path", false).toBool();
63+
const bool okToSaveToAbsolutePath=StelApp::getInstance().getSettings()->value("scripts/flag_script_allow_write_absolute_path", false).toBool();
6464

65-
if (!okToSaveToAbsolutePath && (newFileNameInfo.isAbsolute()))
65+
if (!okToSaveToAbsolutePath && ((newFileNameInfo.isAbsolute() || (name.contains(".."))))) // The last condition may include dangerous/malicious paths
6666
{
67-
qWarning() << "SCRIPTING CONFIGURATION ISSUE: You are trying to save to an absolute pathname.";
67+
qWarning() << "SCRIPTING CONFIGURATION ISSUE: You are trying to save to an absolute pathname or move up in directories.";
6868
qWarning() << " To enable this, edit config.ini and set [scripts]/flag_script_allow_write_absolute_path=true";
6969
asFile.setFileName(dir.absolutePath() + "/" + newFileNameInfo.fileName());
7070
qWarning() << " Storing to " << asFile.fileName() << " instead";

Diff for: src/scripting/StelScriptOutput.hpp

+2-1
Original file line numberDiff line numberDiff line change
@@ -41,12 +41,13 @@ class StelScriptOutput
4141
static void writeLog(QString msg);
4242

4343
//! Reset file, i.e., empty it. This may be useful to have repetitive output which may be read by other programs.
44+
//! Normally you would call saveOutputAs(...), then reset().
4445
static void reset(void);
4546

4647
//! Save to new file, re-create output file.
4748
//! This allows reading of results on Windows, where otherwise reading programs cannot access files opened for writing by Stellarium.
4849
//! @param name new filename. If this is not an absolute path, it will be created in the same directory as output.txt
49-
//! @note For storing to absolute path names, set [scripts]/flag_script_allow_write_absolute_path=true.
50+
//! @note For storing to absolute path names or paths containing directory navigation (".."), set [scripts]/flag_script_allow_write_absolute_path=true.
5051
//! Normally you would call saveOutputAs(...), then reset().
5152
static void saveOutputAs(const QString& name);
5253

0 commit comments

Comments
 (0)