From: Selva Nair <selva.nair@gmail.com>
Date: Tue, 28 Oct 2025 10:16:36 +0000 (+0100)
Subject: Canonicalize config_dir before comparing with the config file location
X-Git-Tag: v2.7_rc1~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05a8ba8;p=thirdparty%2Fopenvpn.git

Canonicalize config_dir before comparing with the config file location

Found by ZeroPath

Change-Id: I8e884c00cb94f97a612056e8dca74d821a6d6386
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1318
Message-Id: <20251028101642.11874-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33923.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpnserv/CMakeLists.txt b/src/openvpnserv/CMakeLists.txt
index 340b904c8..a92ee08c6 100644
--- a/src/openvpnserv/CMakeLists.txt
+++ b/src/openvpnserv/CMakeLists.txt
@@ -6,6 +6,11 @@ project(openvpnserv)
 
 add_executable(openvpnserv)
 
+include(CheckSymbolExists)
+
+# Some old versions of mingw does not have PATHCCH_OPTIONS enums -- add a check
+check_symbol_exists(PATHCCH_ENSURE_TRAILING_SLASH pathcch.h HAVE_PATHCCH_ENSURE_TRAILING_SLASH)
+
 set(MC_GEN_DIR ${CMAKE_CURRENT_BINARY_DIR}/mc)
 
 target_include_directories(openvpnserv PRIVATE
@@ -31,7 +36,7 @@ target_compile_options(openvpnserv PRIVATE
     )
 target_link_libraries(openvpnserv
     advapi32.lib userenv.lib iphlpapi.lib fwpuclnt.lib rpcrt4.lib
-    shlwapi.lib netapi32.lib ws2_32.lib ntdll.lib ole32.lib)
+    shlwapi.lib netapi32.lib ws2_32.lib ntdll.lib ole32.lib pathcch.lib)
 if (MINGW)
     target_compile_options(openvpnserv PRIVATE -municode)
     target_link_options(openvpnserv PRIVATE -municode)
diff --git a/src/openvpnserv/validate.c b/src/openvpnserv/validate.c
index 59d5b86ea..2187fb58b 100644
--- a/src/openvpnserv/validate.c
+++ b/src/openvpnserv/validate.c
@@ -25,6 +25,11 @@
 #include <lmaccess.h>
 #include <shlwapi.h>
 #include <lm.h>
+#include <pathcch.h>
+
+#ifndef HAVE_PATHCCH_ENSURE_TRAILING_SLASH
+#define PATHCCH_ENSURE_TRAILING_SLASH 0x20
+#endif
 
 static const WCHAR *white_list[] = {
     L"auth-retry",
@@ -61,7 +66,7 @@ CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
 {
     WCHAR tmp[MAX_PATH];
     const WCHAR *config_file = NULL;
-    const WCHAR *config_dir = NULL;
+    WCHAR config_dir[MAX_PATH];
 
     /* convert fname to full path */
     if (PathIsRelativeW(fname))
@@ -74,9 +79,12 @@ CheckConfigPath(const WCHAR *workdir, const WCHAR *fname, const settings_t *s)
         config_file = fname;
     }
 
-    config_dir = s->config_dir;
+    /* canonicalize config_dir and add trailing slash before comparison */
+    HRESULT res = PathCchCanonicalizeEx(config_dir, _countof(config_dir), s->config_dir,
+                                        PATHCCH_ENSURE_TRAILING_SLASH);
 
-    if (wcsncmp(config_dir, config_file, wcslen(config_dir)) == 0
+    if (res == S_OK
+        && wcsncmp(config_dir, config_file, wcslen(config_dir)) == 0
         && wcsstr(config_file + wcslen(config_dir), L"..") == NULL)
     {
         return TRUE;