From 5f21e03ff813d9ef2b1d7c2a91f563faf6ae8572 Mon Sep 17 00:00:00 2001
From: Boris Kolpackov <boris@codesynthesis.com>
Date: Tue, 13 Oct 2015 18:17:34 +0200
Subject: Normalize and check file and URL paths in fetch operations

---
 bpkg/fetch.cxx | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'bpkg/fetch.cxx')

diff --git a/bpkg/fetch.cxx b/bpkg/fetch.cxx
index 2ccda2c..494b63d 100644
--- a/bpkg/fetch.cxx
+++ b/bpkg/fetch.cxx
@@ -467,7 +467,10 @@ namespace bpkg
   static string
   to_url (const string& host, uint16_t port, const path& file)
   {
-    assert (file.relative ());
+    assert (!file.empty () && file.relative ());
+
+    if (*file.begin () == "..")
+      fail << "invalid URL path " << file;
 
     string url ("http://");
     url += host;
@@ -476,6 +479,7 @@ namespace bpkg
       url += ":" + to_string (port);
 
     url += "/" + file.posix_string ();
+
     return url;
   }
 
@@ -681,6 +685,15 @@ namespace bpkg
 
     path f (rl.path () / a);
 
+    try
+    {
+      f.normalize ();
+    }
+    catch (const invalid_path&)
+    {
+      fail << "invalid archive location " << rl << "/" << f;
+    }
+
     return rl.remote ()
       ? fetch_file (o, rl.host (), rl.port (), f, d)
       : fetch_file (f, d);
-- 
cgit v1.1