fs: Use game data path to resolve ./ in the absence of a current_dir

Fixes a file content disclosure bug (#22042) affecting functionality relying on the get_wml_location() function and not passing a non-empty value for the current_dir parameter. See <https://gna.org/bugs/?22042> for details. This is a candidate for the 1.10 and 1.12 branches. (Backported from master, commit 314425a.)
wesnoth · May 16, 2014 · af61f9f · af61f9f
1 parent e83eb45
commit af61f9f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/changelog b/changelog
@@ -26,6 +26,7 @@ Version 1.10.7+dev:
      color codes as the start of a comment.
    * Fixed: Compilation with CLang 3.2 and libc++.
    * Fixed bug #20876: A segfault in cut_surface.
+   * Fix bug #22042: filesystem content disclosure issue affecting Lua APIs
 
 Version 1.10.7:
  * Add-ons server:

diff --git a/src/filesystem.cpp b/src/filesystem.cpp
@@ -1170,8 +1170,18 @@ std::string get_wml_location(const std::string &filename, const std::string &cur
 	else if (filename.size() >= 2 && filename[0] == '.' && filename[1] == '/')
 	{
 		// If the filename begins with a "./", look in the same directory
-		// as the file currrently being preprocessed.
-		result = current_dir + filename.substr(2);
+		// as the file currently being preprocessed.
+
+		if (!current_dir.empty())
+		{
+			result = current_dir;
+		}
+		else
+		{
+			result = game_config::path;
+		}
+
+		result += filename.substr(2);
 	}
 	else if (!game_config::path.empty())
 		result = game_config::path + "/data/" + filename;