Use looks_like_pbl() to disallow .pbl file inclusion (bug #23504)

This function is implemented using case-insensitive pattern matching, unlike filesystem::ends_with(). I missed this when writing my original fix, so the vulnerability still applied to .pbl files on a case-insensitive filesystem (e.g. NTFS and FAT* on Windows) by using different case to bypass the check.
2015-06-16 23:08:52 -03:00 · 2015-06-16 23:08:52 -03:00 · b2738ffb2f
commit b2738ffb2f
parent 634d29020f
4 changed files with 6 additions and 4 deletions
--- a/3
+++ b/3
@ -1,6 +1,7 @@
 Version 1.13.0+dev:
 * Security fixes:
-   * Disallowed inclusion of .pbl files from WML (bug #23504).
+   * Disallowed inclusion of .pbl files from WML (bug #23504), independent of
+     file name case.
 * AI:
   * Fast Micro AI: exclude hidden enemies from attack evaluation by default;
     add optional key attack_hidden_enemies to override this
--- a/3
+++ b/3
@ -4,7 +4,8 @@ changelog: https://github.com/wesnoth/wesnoth/blob/master/changelog

 Version 1.13.0+dev:
 * Security fixes:
-   * Disallowed inclusion of .pbl files from WML (bug #23504).
+   * Disallowed inclusion of .pbl files from WML (bug #23504), independent of
+     file name case.

 * Campaigns:
   * Dead Water:
--- a/src/filesystem.cpp
+++ b/src/filesystem.cpp
@ -1008,7 +1008,7 @@ std::string get_wml_location(const std::string &filename, const std::string &cur
 		return result;
 	}

-	if (ends_with(filename, ".pbl")) {
+	if (looks_like_pbl(filename)) {
 		ERR_FS << "Illegal path '" << filename << "' (.pbl files are not allowed)." << std::endl;
 		return result;
 	}
--- a/src/filesystem_boost.cpp
+++ b/src/filesystem_boost.cpp
@ -1000,7 +1000,7 @@ static bool is_legal_file(const std::string &filename)
 		return false;
 	}

-	if (ends_with(filename, ".pbl")) {
+	if (looks_like_pbl(filename)) {
 		ERR_FS << "Illegal path '" << filename << "' (.pbl files are not allowed)." << std::endl;
 		return false;
 	}