From 8b31bc934e09863613c3b80725d8c027d14d0cec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E7=8E=8B=E8=BE=BE?= Date: Fri, 21 Feb 2025 20:29:51 +0800 Subject: [PATCH] fix path traversal for 5.0.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 王达 --- service/hnp/base/hnp_zip.c | 6 +++--- service/hnp/installer/src/hnp_installer.c | 8 ++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/service/hnp/base/hnp_zip.c b/service/hnp/base/hnp_zip.c index 4d31d6a5..187b3711 100644 --- a/service/hnp/base/hnp_zip.c +++ b/service/hnp/base/hnp_zip.c @@ -465,7 +465,8 @@ int HnpUnZip(const char *inputFile, const char *outputDir, const char *hnpSignKe unzClose(zipFile); return HNP_ERRNO_BASE_UNZIP_GET_INFO_FAILED; } - if (strstr(fileName, "../")) { + if (strstr(fileName, "..")) { + HNP_LOGE("unzip filename[%{public}s],does not allow the use of ..", fileName); unzClose(zipFile); return HNP_ERRNO_BASE_UNZIP_GET_INFO_FAILED; } @@ -476,8 +477,7 @@ int HnpUnZip(const char *inputFile, const char *outputDir, const char *hnpSignKe slash = fileName; } - result = sprintf_s(filePath, MAX_FILE_PATH_LEN, "%s/%s", outputDir, slash); - if (result < 0) { + if (sprintf_s(filePath, MAX_FILE_PATH_LEN, "%s/%s", outputDir, slash) < 0) { HNP_LOGE("sprintf unsuccess."); unzClose(zipFile); return HNP_ERRNO_BASE_SPRINTF_FAILED; diff --git a/service/hnp/installer/src/hnp_installer.c b/service/hnp/installer/src/hnp_installer.c index 8c6ecb7e..3b8479ad 100644 --- a/service/hnp/installer/src/hnp_installer.c +++ b/service/hnp/installer/src/hnp_installer.c @@ -63,8 +63,8 @@ static int HnpGenerateSoftLinkAllByJson(const char *installPath, const char *dst } for (unsigned int i = 0; i < hnpCfg->linkNum; i++) { - if (strstr(currentLink->source, "../") || strstr(currentLink->target, "../")) { - HNP_LOGE("hnp json link source[%{public}s],target[%{public}s],does not allow the use of ../", + if (strstr(currentLink->source, "..") || strstr(currentLink->target, "..")) { + HNP_LOGE("hnp json link source[%{public}s],target[%{public}s],does not allow the use of ..", currentLink->source, currentLink->target); return HNP_ERRNO_INSTALLER_GET_HNP_PATH_FAILED; } @@ -330,8 +330,8 @@ static int HnpInstallPathGet(HnpCfgInfo *hnpCfgInfo, HnpInstallInfo *hnpInfo) HNP_LOGE("hnp install sprintf install path unsuccess."); return HNP_ERRNO_BASE_SPRINTF_FAILED; } - if (strstr(hnpInfo->hnpVersionPath, "../")) { - HNP_LOGE("hnp version path[%{public}s], does not allow the use of ../", hnpInfo->hnpVersionPath); + if (strstr(hnpInfo->hnpVersionPath, "..")) { + HNP_LOGE("hnp version path[%{public}s], does not allow the use of ..", hnpInfo->hnpVersionPath); return HNP_ERRNO_INSTALLER_GET_HNP_PATH_FAILED; } -- Gitee