diff options
author | Ingo Schwarze <schwarze@openbsd.org> | 2014-07-19 11:35:12 +0000 |
---|---|---|
committer | Ingo Schwarze <schwarze@openbsd.org> | 2014-07-19 11:35:12 +0000 |
commit | a96928e9475061fac88468b762b3335bb8af06f2 (patch) | |
tree | fb4e77a526e6a9f2edf71c295c86ae2ad621afa8 /chars.c | |
parent | d06d27331700307ee6ca6040c2bd638cafbeef2e (diff) | |
download | mandoc-a96928e9475061fac88468b762b3335bb8af06f2.tar.gz |
Security fix:
Validate the name of the file to show before opening it.
Only allow relative filenames starting with "man" or "cat"
and containing neither "/.." nor "../".
While here, correct the condition discarding an initial "./".
Vulnerability found by Sebastien Marie <semarie-openbsd at latrappe dot fr>.
Many thanks for sending a patch; however, i did not use it but made the
checks even stricter.
Diffstat (limited to 'chars.c')
0 files changed, 0 insertions, 0 deletions