[Pkg-privacy-commits] [torbrowser-launcher] 02/03: Prevent attempts at directory traversal attacks, even though they do not look exploitable
Holger Levsen
holger at moszumanska.debian.org
Wed Mar 16 00:37:32 UTC 2016
This is an automated email from the git hooks/post-receive script.
holger pushed a commit to branch master
in repository torbrowser-launcher.
commit 7f9f55b9e33fdc6dbd6ca20a83027bc042f7dcdb
Author: Micah Lee <micah at micahflee.com>
Date: Sun Mar 13 14:56:42 2016 -0700
Prevent attempts at directory traversal attacks, even though they do not look exploitable
---
torbrowser_launcher/launcher.py | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/torbrowser_launcher/launcher.py b/torbrowser_launcher/launcher.py
index 442c6f4..a05c4a1 100644
--- a/torbrowser_launcher/launcher.py
+++ b/torbrowser_launcher/launcher.py
@@ -435,7 +435,14 @@ class Launcher:
tree = ET.parse(self.common.paths['version_check_file'])
for up in tree.getroot():
if up.tag == 'update' and up.attrib['appVersion']:
- return str(up.attrib['appVersion'])
+ version = str(up.attrib['appVersion'])
+
+ # make sure the version does not contain directory traversal attempts
+ # e.g. "5.5.3", "6.0a", "6.0a-hardned" are valid but "../../../../.." is invalid
+ if not re.match(r'^[a-z0-9\.\-]+$', version):
+ return None
+
+ return version
return None
def verify(self):
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-privacy/packages/torbrowser-launcher.git
More information about the Pkg-privacy-commits
mailing list