disallow ../ elements in relpath for secure_relative_open

diff --git a/syscall.c b/syscall.c
index cffc814b7b1c1eae12e149bdfb76ba1ae29085c2..081357bb96d0a6fa152498ebff2f5d4235f235c0 100644 (file)
--- a/syscall.c
+++ b/syscall.c
@@ -716,6 +716,8 @@ int do_open_nofollow(const char *pathname, int flags)
   must be a relative path, and the relpath must not contain any
   elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
   applies to all path components, not just the last component)
+
+  The relpath must also not contain any ../ elements in the path
 */
 int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
 {
@@ -724,6 +726,11 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
                errno = EINVAL;
                return -1;
        }
+       if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) {
+               // no ../ elements allowed in the relpath
+               errno = EINVAL;
+               return -1;
+       }
 
 #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
        // really old system, all we can do is live with the risks