diff --git a/Annex/UntrustedFilePath.hs b/Annex/UntrustedFilePath.hs index 29c02709f0..c843e8042e 100644 --- a/Annex/UntrustedFilePath.hs +++ b/Annex/UntrustedFilePath.hs @@ -15,25 +15,28 @@ import System.FilePath - sane FilePath. - - All spaces and punctuation and other wacky stuff are replaced - - with '_', except for '.' + - with '_', except for '.' and '-' - - "../" becomes ".._", which is safe. - "/foo" becomes "_foo", which is safe. - "c:foo" becomes "c_foo", which is safe even on windows. - - - Leading '.' is also replaced with '_', so ".git/foo" becomes "_git_foo" - - and so no dotfiles that might control a program are inadvertently created. + - Leading '.' and '-' are also replaced with '_', so + - so no dotfiles that might control a program are inadvertently created, + - and to avoid filenames being treated as options to commands the user + - might run. -} sanitizeFilePath :: String -> FilePath -sanitizeFilePath = leadingdot . map sanitize +sanitizeFilePath = leading . map sanitize where sanitize c - | c == '.' = c + | c == '.' || c == '-' = c | isSpace c || isPunctuation c || isSymbol c || isControl c || c == '/' = '_' | otherwise = c - leadingdot ('.':s) = '_':s - leadingdot s = s + leading ('.':s) = '_':s + leading ('-':s) = '_':s + leading s = s escapeSequenceInFilePath :: FilePath -> Bool escapeSequenceInFilePath f = '\ESC' `elem` f diff --git a/CHANGELOG b/CHANGELOG index ad4d9ad3c2..3062587c12 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -18,8 +18,12 @@ git-annex (8.20200502) UNRELEASED; urgency=medium autoenable of such remotes without forcing again. * addurl, importfeed: Avoid adding filenames with leading '.', instead it will be replaced with '_'. + * addurl, importfeed: Allow '-' in filenames, as long as it's not the + first character. * addurl --preserve-filename: New option, uses server-provided filename - without any sanitization, but with some security checking. + without any sanitization, but will fail if the filename has an obvious + security problem like using an escape sequence or trying to escape + the current directory. -- Joey Hess Mon, 04 May 2020 12:46:11 -0400 diff --git a/doc/bugs/addurl__58___content-disposition_field_should_be_taken_as_is_without_obfuscation_/comment_5_fad1fe49c2c545aeeb388176d2f5a893._comment b/doc/bugs/addurl__58___content-disposition_field_should_be_taken_as_is_without_obfuscation_/comment_5_fad1fe49c2c545aeeb388176d2f5a893._comment new file mode 100644 index 0000000000..85a274a220 --- /dev/null +++ b/doc/bugs/addurl__58___content-disposition_field_should_be_taken_as_is_without_obfuscation_/comment_5_fad1fe49c2c545aeeb388176d2f5a893._comment @@ -0,0 +1,13 @@ +[[!comment format=mdwn + username="joey" + subject="""comment 5""" + date="2020-05-11T17:20:07Z" + content=""" +I agree that it may as well allow non-leading '-'. + +Web browsers do do some santization, particulary of '/'. +Chrome removes leading "." as well. Often files are downloaded to locations +without the user confirming it. I suspect there is enough insecurity +in that area that someone could make a living injecting bitcoin miners into +dotfiles. +"""]]