Use looks_like_pbl() to disallow .pbl file inclusion (bug #23504)

This function is implemented using case-insensitive pattern matching, unlike filesystem::ends_with(). I missed this when writing my original fix, so the vulnerability still applied to .pbl files on a case-insensitive filesystem (e.g. NTFS and FAT* on Windows) by using different case to bypass the check.
wesnoth · Jun 17, 2015 · 1f3dbfb · 1f3dbfb
1 parent 7bdadf5
commit 1f3dbfb
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 2 deletions.
diff --git a/changelog b/changelog
@@ -1,4 +1,7 @@
 Version 1.12.3+dev:
+ * Security fixes:
+   * Disallowed WML inclusion of .pbl files with a non-lowercase extension too
+     (bug #23504).
  * Language and i18n:
    * Updated translations:
 

diff --git a/players_changelog b/players_changelog
@@ -3,6 +3,9 @@ changes may be omitted). For a complete list of changes, see the main
 changelog: https://github.com/wesnoth/wesnoth/blob/1.12/changelog
 
 Version 1.12.3+dev:
+ * Security fixes:
+   * Disallowed WML inclusion of .pbl files with a non-lowercase extension too
+     (bug #23504).
  * Language and i18n:
    * Updated translations:
 

diff --git a/src/filesystem.cpp b/src/filesystem.cpp
@@ -1025,7 +1025,7 @@ std::string get_wml_location(const std::string &filename, const std::string &cur
 		return result;
 	}
 
-	if (ends_with(filename, ".pbl")) {
+	if (looks_like_pbl(filename)) {
 		ERR_FS << "Illegal path '" << filename << "' (.pbl files are not allowed)." << std::endl;
 		return result;
 	}

diff --git a/src/filesystem_boost.cpp b/src/filesystem_boost.cpp
@@ -979,7 +979,7 @@ static bool is_legal_file(const std::string &filename)
 		return false;
 	}
 
-	if (ends_with(filename, ".pbl")) {
+	if (looks_like_pbl(filename)) {
 		ERR_FS << "Illegal path '" << filename << "' (.pbl files are not allowed)." << std::endl;
 		return false;
 	}