From 5e95240b6e40d3574b51b597051662a157c0b7d8 Mon Sep 17 00:00:00 2001 From: Wojtek Kosior Date: Wed, 24 Jan 2024 21:38:49 +0100 Subject: Forbid `.` and `..` in loaded resource file paths. --- src/guile/cantius.scm | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'src/guile') diff --git a/src/guile/cantius.scm b/src/guile/cantius.scm index fe8131a..af37a32 100644 --- a/src/guile/cantius.scm +++ b/src/guile/cantius.scm @@ -24,8 +24,20 @@ +(define %illegal-path-regex + ;; Forbid `.` and `..` segments in paths. + (make-regexp "^(.*/)?[.][.]?(/.*)?$")) + +(define legal-path? + (negate (cut regexp-exec %illegal-path-regex <>))) + (export find-resource-file) (define* (find-resource-file file #:optional (root-path (%resource-root-path))) + (unless (legal-path? file) + (raise (condition + (&error) + (&message (message (format #f "Illegal path ~a" file)))))) + (let loop ((paths root-path)) (match paths (() -- cgit v1.2.3