aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBoris Kolpackov <boris@codesynthesis.com>2015-10-13 18:17:34 +0200
committerBoris Kolpackov <boris@codesynthesis.com>2015-10-14 15:13:38 +0200
commit5f21e03ff813d9ef2b1d7c2a91f563faf6ae8572 (patch)
tree96178354a6f3e95c33714e6c5e78dacc1a63e188
parenta5cc1656274d1978a85dd0abafc46c21b7f851d0 (diff)
Normalize and check file and URL paths in fetch operations
-rw-r--r--bpkg/fetch.cxx15
1 files changed, 14 insertions, 1 deletions
diff --git a/bpkg/fetch.cxx b/bpkg/fetch.cxx
index 2ccda2c..494b63d 100644
--- a/bpkg/fetch.cxx
+++ b/bpkg/fetch.cxx
@@ -467,7 +467,10 @@ namespace bpkg
static string
to_url (const string& host, uint16_t port, const path& file)
{
- assert (file.relative ());
+ assert (!file.empty () && file.relative ());
+
+ if (*file.begin () == "..")
+ fail << "invalid URL path " << file;
string url ("http://");
url += host;
@@ -476,6 +479,7 @@ namespace bpkg
url += ":" + to_string (port);
url += "/" + file.posix_string ();
+
return url;
}
@@ -681,6 +685,15 @@ namespace bpkg
path f (rl.path () / a);
+ try
+ {
+ f.normalize ();
+ }
+ catch (const invalid_path&)
+ {
+ fail << "invalid archive location " << rl << "/" << f;
+ }
+
return rl.remote ()
? fetch_file (o, rl.host (), rl.port (), f, d)
: fetch_file (f, d);