From: W. Felix Handte <w@felixhandte.com>
Date: Fri, 26 Feb 2021 17:29:42 +0000 (-0500)
Subject: Detect `..` in Paths Correctly
X-Git-Tag: v1.4.9^2~2^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=61db590ad857ef145de45fbfdd5513eb45077b37;p=thirdparty%2Fzstd.git

Detect `..` in Paths Correctly

This commit addresses #2509.
---

diff --git a/programs/util.c b/programs/util.c
index 7208d66d2..3fd4cd17e 100644
--- a/programs/util.c
+++ b/programs/util.c
@@ -679,7 +679,27 @@ const char* UTIL_getFileExtension(const char* infilename)
 
 static int pathnameHas2Dots(const char *pathname)
 {
-    return NULL != strstr(pathname, "..");
+    /* We need to figure out whether any ".." present in the path is a whole
+     * path token, which is the case if it is bordered on both sides by either
+     * the beginning/end of the path or by a directory separator.
+     */
+    const char *needle = pathname;
+    while (1) {
+        needle = strstr(needle, "..");
+
+        if (needle == NULL) {
+            return 0;
+        }
+
+        if ((needle == pathname || needle[-1] == PATH_SEP)
+         && (needle[2] == '\0' || needle[2] == PATH_SEP)) {
+            return 1;
+        }
+
+        /* increment so we search for the next match */
+        needle++;
+    };
+    return 0;
 }
 
 static int isFileNameValidForMirroredOutput(const char *filename)