From c116c209d0d58abef4066e4be20b9a858d278a63 Mon Sep 17 00:00:00 2001
From: Andrei Karas <akaras@inbox.ru>
Date: Sun, 8 Jan 2012 20:41:48 +0300
Subject: Validate update host.

---
 src/client.cpp                    |  4 ++++
 src/gui/login.cpp                 | 12 ++++++++++--
 src/main.cpp                      |  7 ++++++-
 src/net/manaserv/loginhandler.cpp |  9 +++++++++
 src/net/tmwa/loginhandler.cpp     |  5 +++++
 src/utils/stringutils.cpp         | 12 +++++++++++-
 src/utils/stringutils.h           |  2 ++
 7 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/src/client.cpp b/src/client.cpp
index 1ac4be9f4..30a394e5f 100644
--- a/src/client.cpp
+++ b/src/client.cpp
@@ -1460,6 +1460,8 @@ void Client::initConfiguration()
     config.setValue("musicVolume", 60);
     config.setValue("fpslimit", 60);
     std::string defaultUpdateHost = branding.getValue("defaultUpdateHost", "");
+    if (!checkPath(defaultUpdateHost))
+        defaultUpdateHost = "";
     config.setValue("updatehost", defaultUpdateHost);
     config.setValue("customcursor", true);
     config.setValue("useScreenshotDirectorySuffix", true);
@@ -1508,6 +1510,8 @@ void Client::initUpdatesDir()
     // If updatesHost is currently empty, fill it from config file
     if (mUpdateHost.empty())
         mUpdateHost = config.getStringValue("updatehost");
+    if (!checkPath(mUpdateHost))
+        return;
 
     // Don't go out of range int he next check
     if (mUpdateHost.length() < 2)
diff --git a/src/gui/login.cpp b/src/gui/login.cpp
index d910d37bc..effd3c5e2 100644
--- a/src/gui/login.cpp
+++ b/src/gui/login.cpp
@@ -181,8 +181,16 @@ void LoginDialog::action(const gcn::ActionEvent &event)
             serverConfig.setValue("customUpdateHost",
                 mUpdateHostText->getText());
 
-            mLoginData->updateHost = mUpdateHostText->getText();
-            *mUpdateHost = mUpdateHostText->getText();
+            if (checkPath(mUpdateHostText->getText()))
+            {
+                mLoginData->updateHost = mUpdateHostText->getText();
+                *mUpdateHost = mUpdateHostText->getText();
+            }
+            else
+            {
+                mLoginData->updateHost = "";
+                *mUpdateHost = "";
+            }
         }
         mLoginData->updateType = updateType;
         serverConfig.setValue("updateType", updateType);
diff --git a/src/main.cpp b/src/main.cpp
index a170cf513..4705a4af2 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -33,6 +33,8 @@
 #include <iostream>
 #include <physfs.h>
 
+#include "utils/stringutils.h"
+
 #ifdef __MINGW32__
 #include <windows.h>
 #endif
@@ -131,7 +133,10 @@ static void parseOptions(int argc, char *argv[], Client::Options &options)
                 options.printHelp = true;
                 break;
             case 'H':
-                options.updateHost = optarg;
+                if (checkPath(optarg))
+                    options.updateHost = optarg;
+                else
+                    options.updateHost = "";
                 break;
             case 'c':
                 options.character = optarg;
diff --git a/src/net/manaserv/loginhandler.cpp b/src/net/manaserv/loginhandler.cpp
index 1edfbb6b6..818886b38 100644
--- a/src/net/manaserv/loginhandler.cpp
+++ b/src/net/manaserv/loginhandler.cpp
@@ -341,9 +341,18 @@ void LoginHandler::readServerInfo(Net::MessageIn &msg)
     // Set the update host when included in the message
     const std::string updateHost = msg.readString();
     if (!updateHost.empty())
+    {
+        if (!checkPath(updateHost))
+        {
+            logger->log1("Warning: incorrect update server name");
+            updateHost = "";
+        }
         mLoginData->updateHost = updateHost;
+    }
     else
+    {
         logger->log1("Warning: server does not have an update host set!");
+    }
 
     // Read the client data folder for dynamic data loading.
     // This is only used by the QT client.
diff --git a/src/net/tmwa/loginhandler.cpp b/src/net/tmwa/loginhandler.cpp
index 7f73057b4..12a3d7b19 100644
--- a/src/net/tmwa/loginhandler.cpp
+++ b/src/net/tmwa/loginhandler.cpp
@@ -110,6 +110,11 @@ void LoginHandler::handleMessage(Net::MessageIn &msg)
 
              len = msg.readInt16() - 4;
              mUpdateHost = msg.readString(len);
+             if (!checkPath(mUpdateHost))
+             {
+                mUpdateHost = "";
+                logger->log1("Warning: incorrect update server name");
+             }
              loginData.updateHost = mUpdateHost;
 
              logger->log("Received update host \"%s\" from login server.",
diff --git a/src/utils/stringutils.cpp b/src/utils/stringutils.cpp
index ea2d18276..9a8040c5d 100644
--- a/src/utils/stringutils.cpp
+++ b/src/utils/stringutils.cpp
@@ -456,4 +456,14 @@ std::vector<std::string> getLang()
     if (dot != (signed)std::string::npos)
         langs.push_back(lang.substr(0, dot));
     return langs;
-}
\ No newline at end of file
+}
+
+bool checkPath(std::string path)
+{
+    if (path.empty())
+        return true;
+    return path.find("../") == std::string::npos
+        && path.find("..\\") == std::string::npos
+        && path.find("/..") == std::string::npos
+        && path.find("\\..") == std::string::npos;
+}
diff --git a/src/utils/stringutils.h b/src/utils/stringutils.h
index f0dbf0bd9..b4b6db995 100644
--- a/src/utils/stringutils.h
+++ b/src/utils/stringutils.h
@@ -180,4 +180,6 @@ std::string combineDye2(std::string file, std::string dye);
 
 std::vector<std::string> getLang();
 
+bool checkPath(std::string path);
+
 #endif // UTILS_STRINGUTILS_H
-- 
cgit v1.2.3-60-g2f50