[*] Exploit mitigation - file protocols can be valid paths

2023-09-10 16:06:12 +01:00 · 2023-09-10 16:06:12 +01:00 · 5107911ba5
commit 5107911ba5
parent 445085d069
1 changed files with 30 additions and 10 deletions
--- a/Source/IO/FS/FS.cpp
+++ b/Source/IO/FS/FS.cpp
@ -30,43 +30,58 @@ namespace Aurora::IO::FS
        /**
            Resolve special character prefixes
        */
-        if ((path.size() >= 2) && (requireMountExpand))
+        if (requireMountExpand)
        {
-            if (path[1] == kPathSplitter)
+            int iOffset { 0 };
+
+            /**
+             * Strip protocol prefix
+             */
+            if (AuStartsWith(path, "file://"))
+            {
+                iOffset = 7;
+            }
+
+            if ((path.size() > iOffset + 1) &&
+                (path[iOffset + 1] == kPathSplitter))
            {
                // Working directory
-                if (path[0] == '.')
+                if (path[iOffset] == '.')
                {
                    SysAssert(Process::GetWorkingDirectory(buffer));
                    buffer += kPathSplitter;
                }
                // Binary directory
-                else if (path[0] == '^')
+                else if (path[iOffset] == '^')
                {
                    SysAssert(Process::GetProcDirectory(buffer));
                    buffer += kPathSplitter;
                }
                // Local Aurora profile
-                else if (path[0] == '~')
+                else if (path[iOffset] == '~')
                {
                    SysAssert(FS::GetProfileDomain(buffer));
                }
                // Global Aurora profile
-                else if (path[0] == '!')
+                else if (path[iOffset] == '!')
                {
                    SysAssert(FS::GetSystemDomain(buffer));
                }
-                else if (path[0] == '?')
+                else if (path[iOffset] == '?')
                {
                    // ...except for this one
                    isResource = true;
                }
                else
                {
-                    buffer.insert(buffer.begin(), path.begin(), path.begin() + 2); // ???
+                    buffer.insert(buffer.begin(), path.begin() + iOffset, path.begin() + iOffset + 2); // ???
                }

-                buffer.insert(buffer.end(), path.begin() + 2, path.end());
+                buffer.insert(buffer.end(), path.begin() + iOffset + 2, path.end());
+            }
+            else if (iOffset)
+            {
+                buffer.insert(buffer.end(), path.begin() + iOffset, path.end());
            }
            else
            {
@ -251,6 +266,11 @@ namespace Aurora::IO::FS
            }
        }

+        if (!requiresMountUpdate)
+        {
+            requiresMountUpdate = AuStartsWith(str, "file://");
+        }
+        
        // worst case -> yea have fun
        if (requiresExpanding || requiresMountUpdate)
        {