[Audacity-cvs] audacity-src/src/xml XMLTagHandler.cpp, 1.4, 1.4.6.1 XMLTagHandler.h, 1.4, 1.4.6.1

Mon, 11 Dec 2006 19:27:16 -0800 

Update of /cvsroot/audacity/audacity-src/src/xml
In directory sc8-pr-cvs11.sourceforge.net:/tmp/cvs-serv7712/xml

Modified Files:
      Tag: Audacity_UmixIt
        XMLTagHandler.cpp XMLTagHandler.h 
Log Message:
security vulnerability fixes, per NGS report for UmixIt

Index: XMLTagHandler.h
===================================================================
RCS file: /cvsroot/audacity/audacity-src/src/xml/XMLTagHandler.h,v
retrieving revision 1.4
retrieving revision 1.4.6.1
diff -u -d -r1.4 -r1.4.6.1
--- XMLTagHandler.h     10 Sep 2003 07:42:35 -0000      1.4
+++ XMLTagHandler.h     12 Dec 2006 03:27:12 -0000      1.4.6.1
@@ -18,6 +18,12 @@
 #ifndef __AUDACITY_XML_TAG_HANDLER__
 #define __AUDACITY_XML_TAG_HANDLER__
 
+// "Good" means the name is well-formed and names an existing file.
+// These are functions rather than methods because some non-descendants of 
XMLTagHandler need it. //vvvvv necessarily?
+bool IsGoodSubdirNameFromXML(const wxString strSubdirName, const wxString 
strDirName = "");
+bool IsGoodFileNameFromXML(const wxString strFileName, const wxString 
strDirName = "");
+bool IsGoodPathNameFromXML(const wxString strPathName);
+
 class XMLTagHandler {
  public:
 

Index: XMLTagHandler.cpp
===================================================================
RCS file: /cvsroot/audacity/audacity-src/src/xml/XMLTagHandler.cpp,v
retrieving revision 1.4
retrieving revision 1.4.6.1
diff -u -d -r1.4 -r1.4.6.1
--- XMLTagHandler.cpp   10 Sep 2003 19:56:31 -0000      1.4
+++ XMLTagHandler.cpp   12 Dec 2006 03:27:12 -0000      1.4.6.1
@@ -2,9 +2,10 @@
 
   Audacity: A Digital Audio Editor
 
-  XMLTagHandler.h
+  XMLTagHandler.cpp
 
   Dominic Mazzoni
+  Vaughan Johnson (IsGood*FromXML)
 
   This class is an interface which should be implemented by
   classes which wish to be able to load and save themselves
@@ -18,6 +19,52 @@
 #include "../Internat.h"
 
 #include <wx/defs.h>
+#include <wx/filename.h>
+
+// "Good" means the name is well-formed and names an existing file.
+// These are functions rather than methods because some non-descendants of 
XMLTagHandler need it. //vvvvv necessarily?
+bool IsGoodFileString(wxString str)
+{
+   // Test against corrupt filenames per security vulnerability report by NGS 
for UmixIt.
+   wxString intlStrFileName = FILENAME(str);
+   size_t len = intlStrFileName.Length();
+   return ((len <= 128) && // FILENAME_MAX is 260 in MSVC, but inconsistent 
across platforms, sometimes huge.
+            (intlStrFileName.Find('\0') == len) && // No null characters 
except terminator.
+            (intlStrFileName.Find(wxFileName::GetPathSeparator()) == -1)); // 
No path separator characters. //vvv (this won't work on CVS HEAD)
+}
+
+bool IsGoodSubdirNameFromXML(const wxString strSubdirName, const wxString 
strDirName /* = "" */)
+{
+   // Test strSubdirName.
+   if (!IsGoodFileString(strSubdirName)) return false;
+
+   // Test the corresponding wxFileName.
+   wxFileName fileName(FILENAME(strDirName), FILENAME(strSubdirName));
+   return (fileName.IsOk() && fileName.DirExists());
+}
+
+bool IsGoodFileNameFromXML(const wxString strFileName, const wxString 
strDirName /* = "" */)
+{
+   // Test strFileName.
+   if (!IsGoodFileString(strFileName)) return false;
+
+   // Test the corresponding wxFileName.
+   wxFileName fileName(FILENAME(strDirName), FILENAME(strFileName));
+   return (fileName.IsOk() && fileName.FileExists());
+}
+
+bool IsGoodPathNameFromXML(const wxString strPathName)
+{
+   // Test strPathName.
+   wxString intlStrPathName = FILENAME(strPathName);
+   if ((intlStrPathName.Find('\0') < intlStrPathName.Length())) // No null 
characters.
+      return false;
+
+   // Test the corresponding wxFileName.
+   wxFileName fileName(intlStrPathName);
+   return IsGoodFileNameFromXML(fileName.GetFullName(), 
fileName.GetPath(wxPATH_GET_VOLUME));
+}
+
 
 // See http://www.w3.org/TR/REC-xml for reference
 wxString XMLTagHandler::XMLEsc(wxString s)


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Audacity-cvs mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/audacity-cvs

Reply via email to