src/common/util.c:expand_filename() - Perhaps use GetFullPathName() as a form of input validation on the filename argument.

2024-11-24 12:23:32 +01:00 · 2015-12-01 15:41:03 -05:00 · 2015-12-01 15:41:03 -05:00 · 4e19133dcc
commit 4e19133dcc
parent b3639c8291
1 changed files with 3 additions and 0 deletions
--- a/src/common/util.c
+++ b/src/common/util.c
@ -2873,6 +2873,9 @@ expand_filename(const char *filename)
 {
  tor_assert(filename);
 #ifdef _WIN32
+  /* Might consider using GetFullPathName() as described here:
+   * http://etutorials.org/Programming/secure+programming/Chapter+3.+Input+Validation/3.7+Validating+Filenames+and+Paths/
+   */
  return tor_strdup(filename);
 #else
  if (*filename == '~') {