head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.4
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.2
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.1.0.6
	pkgsrc-2011Q4-base:1.1
	pkgsrc-2011Q3:1.1.0.4
	pkgsrc-2011Q3-base:1.1
	pkgsrc-2011Q2:1.1.0.2
	pkgsrc-2011Q2-base:1.1;
locks; strict;
comment	@// @;


1.2
date	2012.03.19.20.12.49;	author markd;	state dead;
branches;
next	1.1;

1.1
date	2011.05.07.22.25.09;	author markd;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update to KDE SC 4.8.0
@
text
@$NetBSD: patch-kget_ui_metalinkcreator_metalinker.cpp,v 1.1 2011/05/07 22:25:09 markd Exp $

http://secunia.com/advisories/44124/

--- kget/ui/metalinkcreator/metalinker.cpp	2011/04/09 09:24:33	1227468
+++ kget/ui/metalinkcreator/metalinker.cpp	2011/04/09 09:25:23	1227469
@@@@ -583,7 +583,13 @@@@
         return false;
     }
 
-    if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) {
+    if (name.endsWith('/')) {
+        kError(5001) << "Name attribute of Metalink::File does not contain a file name:" << name;
+        return false;
+    }
+
+    const QStringList components = name.split('/');
+    if (name.startsWith('/') || components.contains("..") || components.contains(".")) {
         kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name;
         return false;
     }
@


1.1
log
@KGet does not properly sanitise the "name" attribute of the "file" element
of metalink files before using it to download files.
http://secunia.com/advisories/44124/
@
text
@d1 1
a1 1
$NetBSD$
@