Firestorm can't be trusted.

This commit is contained in:
Lirusaito
2017-05-13 09:56:23 -04:00
parent 8cea1705d1
commit e8a0762eee

View File

@@ -736,6 +736,15 @@ std::vector<std::string> LLDir::findSkinnedFilenames(const std::string& subdir,
<< ((constraint == CURRENT_SKIN)? "CURRENT_SKIN" : "ALL_SKINS")
<< LL_ENDL;
// Build results vector.
std::vector<std::string> results;
// Disallow filenames that may escape subdir
if (filename.find("..") != std::string::npos)
{
LL_WARNS("LLDir") << "Ignoring potentially relative filename '" << filename << "'" << LL_ENDL;
return results;
}
// Cache the default language directory for each subdir we've encountered.
// A cache entry whose value is the empty string means "not localized,
// don't bother checking again."
@@ -800,8 +809,6 @@ std::vector<std::string> LLDir::findSkinnedFilenames(const std::string& subdir,
}
}
// Build results vector.
std::vector<std::string> results;
// The process we use depends on 'constraint'.
if (constraint != CURRENT_SKIN) // meaning ALL_SKINS
{