File CVE-2023-28371-1.patch of Package stellarium

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2023-28371-1.patch of Package stellarium

From 1261f74dc4aa6bbd01ab514343424097f8cf46b7 Mon Sep 17 00:00:00 2001
From: Georg Zotti <Georg.Zotti@univie.ac.at>
Date: Sat, 4 Mar 2023 16:15:54 +0100
Subject: [PATCH] Fix a possible security issue - script output might have been
 stored to paths elsewhere - Thanks to G.C. for reporting

---
 src/scripting/StelScriptOutput.cpp | 12 ++++++------
 src/scripting/StelScriptOutput.hpp |  3 ++-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/scripting/StelScriptOutput.cpp b/src/scripting/StelScriptOutput.cpp
index 94f37de13ddf..94af2d2d4d6c 100644
--- a/src/scripting/StelScriptOutput.cpp
+++ b/src/scripting/StelScriptOutput.cpp
@@ -56,15 +56,15 @@ void StelScriptOutput::reset(void)
 void StelScriptOutput::saveOutputAs(const QString &name)
 {
 	QFile asFile;
-	QFileInfo outputInfo(outputFile);
-	QDir dir=outputInfo.dir(); // will hold complete dirname
-	QFileInfo newFileNameInfo(name);
+	const QFileInfo outputInfo(outputFile);
+	const QDir dir=outputInfo.dir(); // will hold complete dirname
+	const QFileInfo newFileNameInfo(name);
 
-	bool okToSaveToAbsolutePath=StelApp::getInstance().getSettings()->value("scripts/flag_script_allow_write_absolute_path", false).toBool();
+	const bool okToSaveToAbsolutePath=StelApp::getInstance().getSettings()->value("scripts/flag_script_allow_write_absolute_path", false).toBool();
 
-	if (!okToSaveToAbsolutePath && (newFileNameInfo.isAbsolute()))
+	if (!okToSaveToAbsolutePath && ((newFileNameInfo.isAbsolute() || (name.contains(".."))))) // The last condition may include dangerous/malicious paths
 	{
-		qWarning() << "SCRIPTING CONFIGURATION ISSUE: You are trying to save to an absolute pathname.";
+		qWarning() << "SCRIPTING CONFIGURATION ISSUE: You are trying to save to an absolute pathname or move up in directories.";
 		qWarning() << "  To enable this, edit config.ini and set [scripts]/flag_script_allow_write_absolute_path=true";
 		asFile.setFileName(dir.absolutePath() + "/" + newFileNameInfo.fileName());
 		qWarning() << "  Storing to " << asFile.fileName() << " instead";
diff --git a/src/scripting/StelScriptOutput.hpp b/src/scripting/StelScriptOutput.hpp
index 41579e7188fe..6012cac1650e 100644
--- a/src/scripting/StelScriptOutput.hpp
+++ b/src/scripting/StelScriptOutput.hpp
@@ -41,12 +41,13 @@ class StelScriptOutput
 	static void writeLog(QString msg);
 
 	//! Reset file, i.e., empty it. This may be useful to have repetitive output which may be read by other programs.
+	//! Normally you would call saveOutputAs(...), then reset().
 	static void reset(void);
 
 	//! Save to new file, re-create output file.
 	//! This allows reading of results on Windows, where otherwise reading programs cannot access files opened for writing by Stellarium.
 	//! @param name new filename. If this is not an absolute path, it will be created in the same directory as output.txt
-	//! @note For storing to absolute path names, set [scripts]/flag_script_allow_write_absolute_path=true.
+	//! @note For storing to absolute path names or paths containing directory navigation (".."), set [scripts]/flag_script_allow_write_absolute_path=true.
 	//! Normally you would call saveOutputAs(...), then reset().
 	static void saveOutputAs(const QString& name);

Places

File CVE-2023-28371-1.patch of Package stellarium

Places