| commit | c52d46e041b42bb1ee6f692e00a0abe37a9659f6 | |
| author | Gerd Hoffmann <kraxel@redhat.com> | |
| Mon, 3 Dec 2018 10:10:45 +0000 (3 11:10 +0100) | ||
| committer | Gerd Hoffmann <kraxel@redhat.com> | |
| Mon, 3 Dec 2018 18:40:17 +0000 (3 19:40 +0100) | ||
| tree | 56b59624aa0816febe19b4f3ce3cac4a9a09bdf8 | treesnapshot (tar.gz zip) |
| parent | 6de02a13232a84261bd2d5e07013d6e6572cd60f | commitdiff |
usb-mtp: outlaw slashes in filenames
Slash is unix directory separator, so they are not allowed in filenames.
Note this also stops the classic escape via "../".
Fixes: CVE-2018-16867
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181203101045.27976-3-kraxel@redhat.com
Slash is unix directory separator, so they are not allowed in filenames.
Note this also stops the classic escape via "../".
Fixes: CVE-2018-16867
Reported-by: Michael Hanselmann <public@hansmi.ch>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20181203101045.27976-3-kraxel@redhat.com
| hw/usb/dev-mtp.c | diffblobblamehistory |