--- a/ChangeLog Mon Feb 11 01:01:20 2013 -0800
+++ b/ChangeLog Mon Feb 11 01:03:34 2013 -0800
@@ -37,6 +37,8 @@
+ * Fix a bug where a remote MXit user could possibly specify a local + file path to be written to. (CVE-2013-0271) * Display farewell messages in a different colour to distinguish
them from normal messages.
* Add support for typing notification.
--- a/libpurple/protocols/mxit/formcmds.c Mon Feb 11 01:01:20 2013 -0800
+++ b/libpurple/protocols/mxit/formcmds.c Mon Feb 11 01:03:34 2013 -0800
@@ -405,19 +405,29 @@
/* base64 decode the image data */
rawimg = purple_base64_decode(tmp, &rawimglen);
- dir = g_strdup_printf("%s/mxit/imagestrips", purple_user_dir());
+ dir = g_build_filename(purple_user_dir(), "mxit", "imagestrips", NULL); purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR); /* ensure directory exists */
- filename = g_strdup_printf("%s/%s-%s-%s.png", dir, from, name, validator);
+ escfrom = g_strdup(purple_escape_filename(from)); + escname = g_strdup(purple_escape_filename(name)); + escvalidator = g_strdup(purple_escape_filename(validator)); + filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s-%s-%s.png", dir, escfrom, escname, escvalidator); purple_util_write_data_to_file_absolute(filename, (char*) rawimg, rawimglen);
--- a/libpurple/protocols/mxit/splashscreen.c Mon Feb 11 01:01:20 2013 -0800
+++ b/libpurple/protocols/mxit/splashscreen.c Mon Feb 11 01:03:34 2013 -0800
@@ -121,10 +121,10 @@
/* Save the new splash image */
- dir = g_strdup_printf("%s/mxit", purple_user_dir());
+ dir = g_strdup_printf("%s" G_DIR_SEPARATOR_S "mxit", purple_user_dir()); purple_build_dir(dir, S_IRUSR | S_IWUSR | S_IXUSR); /* ensure directory exists */
- filename = g_strdup_printf("%s/%s.png", dir, splashId);
+ filename = g_strdup_printf("%s" G_DIR_SEPARATOR_S "%s.png", dir, purple_escape_filename(splashId)); if (purple_util_write_data_to_file_absolute(filename, data, datalen)) {
/* Store new splash-screen ID to settings */
purple_account_set_string(session->acc, MXIT_CONFIG_SPLASHID, splashId);