Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix a possible security issue
- disallow overwriting config.ini
  • Loading branch information
gzotti committed Mar 4, 2023
1 parent 0c3a256 commit eba61df
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions src/scripting/StelScriptOutput.cpp
Expand Up @@ -62,6 +62,12 @@ void StelScriptOutput::saveOutputAs(const QString &name)

const bool okToSaveToAbsolutePath=StelApp::getInstance().getSettings()->value("scripts/flag_script_allow_write_absolute_path", false).toBool();

if (name.contains("config.ini"))
{
qWarning() << "SCRIPTING ERROR: You are trying to overwrite config.ini. Ignoring.";
return;
}

if (!okToSaveToAbsolutePath && ((newFileNameInfo.isAbsolute() || (name.contains(".."))))) // The last condition may include dangerous/malicious paths
{
qWarning() << "SCRIPTING CONFIGURATION ISSUE: You are trying to save to an absolute pathname or move up in directories.";
Expand Down

0 comments on commit eba61df

Please sign in to comment.