From a3645984cdf5a827b93b616acd4bae2d33af728a Mon Sep 17 00:00:00 2001 From: Max Kellermann Date: Sat, 27 Feb 2010 19:01:17 +0100 Subject: command: "update" checks if the path is malformed This is a very basic check, which only ensures that the path does not begin with a slash, doesn't have double slashes and the special names "." and ".." are forbidden. --- NEWS | 1 + src/command.c | 18 ++++++++++++++++-- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index d04d14e32..714cb533e 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,7 @@ ver 0.16 (20??/??/??) - "load" supports remote playlists (extm3u, pls, asx, xspf, lastfm://) - allow changing replay gain mode on-the-fly - omitting the range end is possible + - "update" checks if the path is malformed * archive: - iso: renamed plugin to "iso9660" - zip: renamed plugin to "zzip" diff --git a/src/command.c b/src/command.c index e591d06e3..ab1a7b0a9 100644 --- a/src/command.c +++ b/src/command.c @@ -1055,9 +1055,16 @@ handle_update(struct client *client, G_GNUC_UNUSED int argc, char *argv[]) unsigned ret; assert(argc <= 2); - if (argc == 2) + if (argc == 2) { path = argv[1]; + if (!uri_safe_local(path)) { + command_error(client, ACK_ERROR_ARG, + "Malformed path"); + return COMMAND_RETURN_ERROR; + } + } + ret = update_enqueue(path, false); if (ret > 0) { client_printf(client, "updating_db: %i\n", ret); @@ -1076,9 +1083,16 @@ handle_rescan(struct client *client, G_GNUC_UNUSED int argc, char *argv[]) unsigned ret; assert(argc <= 2); - if (argc == 2) + if (argc == 2) { path = argv[1]; + if (!uri_safe_local(path)) { + command_error(client, ACK_ERROR_ARG, + "Malformed path"); + return COMMAND_RETURN_ERROR; + } + } + ret = update_enqueue(path, true); if (ret > 0) { client_printf(client, "updating_db: %i\n", ret); -- cgit v1.2.3