[*] Win32 opener: ensure file/dir exists (subject to time of check attack, but its fine to prevent stupid 'open' shellexec exploits. wont save you if io write is available)

2023-09-09 23:09:28 +01:00 · 2023-09-09 23:09:28 +01:00 · 9ab0c25b05
commit 9ab0c25b05
parent 1a4a4ad863
1 changed files with 32 additions and 3 deletions
--- a/Source/Processes/AuOpen.Win32.cpp
+++ b/Source/Processes/AuOpen.Win32.cpp
@ -75,19 +75,48 @@ namespace Aurora::Processes
    void DeinitWin32Opener()
    {
        gOpenerThread->SendExitSignal();
-        gCondVariable->Broadcast();
+        gCondVariable->Signal();
        gOpenerThread.reset();
    }

    AUKN_SYM void OpenUri(const AuString &uri)
    {
+        if (AuFS::FileExists(uri))
+        {
+            SysPushErrorGeneric("Exploit attempt? Attempted to open existing file/directory via URI ({})", uri);
+            return;
+        }
+
        AU_LOCK_GUARD(gCondMutex);
        AuTryInsert(gOpenItems, uri);
-        gCondVariable->Broadcast();
+        gCondVariable->Signal();
    }

    AUKN_SYM void OpenFile(const AuString &file)
    {
-        OpenUri(AuIOFS::NormalizePathRet(file));
+        auto path = AuIOFS::NormalizePathRet(file);
+        bool bFileExists {};
+
+        if (!(bFileExists = AuFS::FileExists(path)) &&
+            !AuFS::DirExists(path))
+        {
+            SysPushErrorGeneric("Exploit attempt? Attempted to open non-existent file/directory. (request: {})", file);
+            return;
+        }
+
+        if (bFileExists)
+        {
+            if (!AuFS::IsFileBlocked(path))
+            {
+                SysPushErrorGeneric("Exploit attempt? Attempted to open untrusted file/directory. (request: {})", file);
+                return;
+            }
+        }
+
+        {
+            AU_LOCK_GUARD(gCondMutex);
+            AuTryInsert(gOpenItems, AuMove(path));
+            gCondVariable->Signal();
+        }
    }
 }