aboutsummaryrefslogtreecommitdiff
path: root/src/guile
diff options
context:
space:
mode:
authorWojtek Kosior <koszko@koszko.org>2024-01-24 21:38:49 +0100
committerWojtek Kosior <koszko@koszko.org>2024-01-25 18:11:04 +0100
commit5e95240b6e40d3574b51b597051662a157c0b7d8 (patch)
treec05709dfde9df67649591f1ed8ea5cc8d1eae02f /src/guile
parent3759cd33f45bebbd5b6a8682f053bc410afaef18 (diff)
downloadcantius-5e95240b6e40d3574b51b597051662a157c0b7d8.tar.gz
cantius-5e95240b6e40d3574b51b597051662a157c0b7d8.zip
Forbid `.` and `..` in loaded resource file paths.
Diffstat (limited to 'src/guile')
-rw-r--r--src/guile/cantius.scm12
1 files changed, 12 insertions, 0 deletions
diff --git a/src/guile/cantius.scm b/src/guile/cantius.scm
index fe8131a..af37a32 100644
--- a/src/guile/cantius.scm
+++ b/src/guile/cantius.scm
@@ -24,8 +24,20 @@
+(define %illegal-path-regex
+ ;; Forbid `.` and `..` segments in paths.
+ (make-regexp "^(.*/)?[.][.]?(/.*)?$"))
+
+(define legal-path?
+ (negate (cut regexp-exec %illegal-path-regex <>)))
+
(export find-resource-file)
(define* (find-resource-file file #:optional (root-path (%resource-root-path)))
+ (unless (legal-path? file)
+ (raise (condition
+ (&error)
+ (&message (message (format #f "Illegal path ~a" file))))))
+
(let loop ((paths root-path))
(match paths
(()