fs: Use game data path to resolve ./ in the absence of a current_dir

Fixes a file content disclosure bug (#22042) affecting functionality relying on the get_wml_location() function and not passing a non-empty value for the current_dir parameter. See <https://gna.org/bugs/?22042> for details. This is a candidate for the 1.10 and 1.12 branches.
2014-05-16 01:45:18 -04:00 · 2014-05-16 01:45:18 -04:00 · 314425ab0e
commit 314425ab0e
parent 93353ee0a6
2 changed files with 12 additions and 1 deletions
--- a/1
+++ b/1
@ -146,6 +146,7 @@ Version 1.13.0-dev:
     a game_error exception when anything is written to a log as severe as 
     that. For example --log-strict=warning causes both warnings and errors
     to generate runtime exceptions. This is intended for unit tests.
+   * Fix bug #22042: filesystem content disclosure issue affecting Lua APIs

 Version 1.11.11:
 * Add-ons server:
--- a/src/filesystem.cpp
+++ b/src/filesystem.cpp
@ -1139,7 +1139,17 @@ std::string get_wml_location(const std::string &filename, const std::string &cur
 	{
 		// If the filename begins with a "./", look in the same directory
 		// as the file currently being preprocessed.
-		result = current_dir + filename.substr(2);
+
+		if (!current_dir.empty())
+		{
+			result = current_dir;
+		}
+		else
+		{
+			result = game_config::path;
+		}
+
+		result += filename.substr(2);
 	}
 	else if (!game_config::path.empty())
 		result = game_config::path + "/data/" + filename;