aboutsummaryrefslogtreecommitdiff
path: root/network/rhapsody/securityfix.diff
blob: bb9db0d646eb4d30d9fb18f7b9e217bb09ea52eb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
diff -Naur rhapsody-0.28b/src/dcc.c rhapsody-0.28b.patched/src/dcc.c
--- rhapsody-0.28b/src/dcc.c	2006-02-24 01:46:19.000000000 -0500
+++ rhapsody-0.28b.patched/src/dcc.c	2021-09-16 15:46:52.830186229 -0400
@@ -702,7 +702,11 @@
 	FILE *fp;
 	int fd;
 
-	sprintf(filepath, "%s/%s", configuration.dccdlpath, filename);
+	if(strchr(filename, "/")) {
+		vprint_all_attrib(ERROR_COLOR, "DCC File: Filename %s has directory separators, not allowed\n", filename);
+	}
+
+	snprintf(filepath, 1023, "%s/%s", configuration.dccdlpath, filename);
 
 	/* check if the file exists, and if it does, append a timestamp extension */
 	fp = fopen(filepath, "rb");
@@ -710,13 +714,13 @@
 	if (fp != NULL && configuration.dccduplicates == 1){
 		ct = time(NULL);
 		t = localtime(&ct);
-		sprintf(filestamp, "%s.%04d%02d%02d%02d%02d%02d", filename, t->tm_year + 1900, t->tm_mon, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
+		snprintf(filestamp, 1023, "%s.%04d%02d%02d%02d%02d%02d", filename, t->tm_year + 1900, t->tm_mon, t->tm_mday, t->tm_hour, t->tm_min, t->tm_sec);
 		vprint_all_attrib(DCC_COLOR, "DCC file %s exists, saving as %s\n", filename, filestamp);
-		sprintf(filepath, "%s/%s", configuration.dccdlpath, filestamp);
+		snprintf(filepath, 1023, "%s/%s", configuration.dccdlpath, filestamp);
 		fclose(fp);
 		strcpy(filenamex, filestamp);
 	}
-	else strcpy(filenamex, filename);
+	else strncpy(filenamex, filename, 1023);
 
 	//fp = fopen(filepath, "wb");
 	//if (fp == NULL){
diff -Naur rhapsody-0.28b/src/screen.c rhapsody-0.28b.patched/src/screen.c
--- rhapsody-0.28b/src/screen.c	2006-02-24 01:46:19.000000000 -0500
+++ rhapsody-0.28b.patched/src/screen.c	2021-09-16 15:39:03.142240866 -0400
@@ -2294,7 +2294,7 @@
 void add_input_buffer(inputwin *I, int value){
 	char scratch[MAXDATASIZE];
 
-	if (I->cursorpos < MAXDATASIZE){
+	if (I->cursorpos < MAXDATASIZE - 1){
 		strcpy(scratch, &(I->inputbuffer)[I->cursorpos]);
 	        (I->inputbuffer)[I->cursorpos] = value;
 	        strcpy(&(I->inputbuffer)[I->cursorpos+1], scratch);
@@ -2306,7 +2306,7 @@
 void append_input_buffer(inputwin *I, char *string){
 	char scratch[MAXDATASIZE];
 
-	if (I->cursorpos + strlen(string) < MAXDATASIZE){
+	if (I->cursorpos + strlen(string) < MAXDATASIZE - 1){
 		strcpy(scratch, &(I->inputbuffer)[I->cursorpos]);
 	        strcpy(&(I->inputbuffer)[I->cursorpos], string);
 	        strcpy(&(I->inputbuffer)[I->cursorpos + strlen(string)], scratch);