remove excess directory

2014-12-17 14:17:19 -04:00 · 2014-12-17 14:17:19 -04:00 · 3a7d0be120
commit 3a7d0be120
parent d5cbbe1b9a
1 changed files with 2 additions and 1 deletions
--- a/Remote/BitTorrent.hs
+++ b/Remote/BitTorrent.hs
@ -353,6 +353,7 @@ torrentFileSizes torrent = do
 		fn = reverse $ drop 2 $
 			dropWhile (/= '(') $ dropWhile (== ')') $ reverse l

+	-- a malicious torrent file might try to do directory traversal
 	scrub f = if isAbsolute f || any (== "..") (splitPath f)
 		then error "found unsafe filename in torrent!"
 		else f
@ -365,4 +366,4 @@ torrentContents u = convert
 	convert l = UrlMulti $ map mkmulti (zip l [1..])

 	mkmulti ((fn, sz), n) = 
-		(torrentUrlWithNum u n, Just sz, mkSafeFilePath fn)
+		(torrentUrlWithNum u n, Just sz, mkSafeFilePath $ joinPath $ drop 1 $ splitPath fn)