From 3a7d0be12055651f2ef6bd7f78109f0652fc83d7 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Wed, 17 Dec 2014 14:17:19 -0400 Subject: [PATCH] remove excess directory --- Remote/BitTorrent.hs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Remote/BitTorrent.hs b/Remote/BitTorrent.hs index 9b055b19b5..d4c2792cc2 100644 --- a/Remote/BitTorrent.hs +++ b/Remote/BitTorrent.hs @@ -353,6 +353,7 @@ torrentFileSizes torrent = do fn = reverse $ drop 2 $ dropWhile (/= '(') $ dropWhile (== ')') $ reverse l + -- a malicious torrent file might try to do directory traversal scrub f = if isAbsolute f || any (== "..") (splitPath f) then error "found unsafe filename in torrent!" else f @@ -365,4 +366,4 @@ torrentContents u = convert convert l = UrlMulti $ map mkmulti (zip l [1..]) mkmulti ((fn, sz), n) = - (torrentUrlWithNum u n, Just sz, mkSafeFilePath fn) + (torrentUrlWithNum u n, Just sz, mkSafeFilePath $ joinPath $ drop 1 $ splitPath fn)