From a25ddbbb3b6ea120194a2e5f92d3907731950248 Mon Sep 17 00:00:00 2001
From: Holger Schemel <info@artsoft.org>
Date: Fri, 31 Aug 2018 08:13:05 +0200
Subject: [PATCH] added checking for invalid/malicious filenames in network
 protocol

---
 src/network.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/network.c b/src/network.c
index bf12567b..d0c15619 100644
--- a/src/network.c
+++ b/src/network.c
@@ -182,6 +182,11 @@ char *getNetworkPlayerName(int player_nr)
   return(EMPTY_PLAYER_NAME);
 }
 
+static boolean hasPathSeparator(char *s)
+{
+  return (strchr(s, '/') != NULL);
+}
+
 static void StartNetworkServer(int port)
 {
   static int p;
@@ -827,6 +832,9 @@ static void Handle_OP_LEVEL_FILE()
 
   leveldir_identifier = getStringCopy(getNetworkBufferString(read_buffer));
 
+  if (hasPathSeparator(leveldir_identifier))
+    Error(ERR_EXIT, "protocol error: invalid filename from network client");
+
   InitNetworkLevelDirectory(leveldir_identifier);
 
   network_level_dir   = getNetworkLevelDir(leveldir_identifier);
@@ -837,6 +845,9 @@ static void Handle_OP_LEVEL_FILE()
   file_info->basename = getStringCopy(getNetworkBufferString(read_buffer));
   file_info->filename = getPath2(network_level_dir, file_info->basename);
 
+  if (hasPathSeparator(file_info->basename))
+    Error(ERR_EXIT, "protocol error: invalid filename from network client");
+
   getNetworkBufferFile(read_buffer, file_info->filename);
 
   use_custom_template = getNetworkBuffer8BitInteger(read_buffer);
@@ -847,6 +858,9 @@ static void Handle_OP_LEVEL_FILE()
     tmpl_info->basename = getStringCopy(getNetworkBufferString(read_buffer));
     tmpl_info->filename = getPath2(network_level_dir, tmpl_info->basename);
 
+    if (hasPathSeparator(tmpl_info->basename))
+      Error(ERR_EXIT, "protocol error: invalid filename from network client");
+
     getNetworkBufferFile(read_buffer, tmpl_info->filename);
   }
 
-- 
2.34.1