[Freeciv-commits] r32170 - in /trunk/server: srv_main.c stdinhand.c stdinhand.h

[cazfi74]

Author: cazfi
Date: Thu Mar  3 18:40:40 2016
New Revision: 32170

URL: http://svn.gna.org/viewcvs/freeciv?rev=32170&view=rev
Log:
When loading savagame, first check savefile with the exact name given in server 
command line, and
only then try different savegame suffices for it. For filenames given by other 
means than command
line adding one of the extensions is still required, to protect against loading 
arbitrary files.

See bug #23872

Modified:
    trunk/server/srv_main.c
    trunk/server/stdinhand.c
    trunk/server/stdinhand.h

Modified: trunk/server/srv_main.c
URL: 
http://svn.gna.org/viewcvs/freeciv/trunk/server/srv_main.c?rev=32170&r1=32169&r2=32170&view=diff
==============================================================================
--- trunk/server/srv_main.c     (original)
+++ trunk/server/srv_main.c     Thu Mar  3 18:40:40 2016
@@ -2728,7 +2728,7 @@
 
   /* load a saved game */
   if ('\0' == srvarg.load_filename[0]
-   || !load_command(NULL, srvarg.load_filename, FALSE)) {
+      || !load_command(NULL, srvarg.load_filename, FALSE, TRUE)) {
     /* Rulesets are loaded on game initialization, but may be changed later
      * if /load or /rulesetdir is done. */
     load_rulesets(NULL, FALSE, TRUE, FALSE);
@@ -2736,7 +2736,7 @@
 
   maybe_automatic_meta_message(default_meta_message_string());
 
-  if(!(srvarg.metaserver_no_send)) {
+  if (!(srvarg.metaserver_no_send)) {
     log_normal(_("Sending info to metaserver <%s>."), meta_addr_port());
     /* Open socket for meta server */
     if (!server_open_meta()

Modified: trunk/server/stdinhand.c
URL: 
http://svn.gna.org/viewcvs/freeciv/trunk/server/stdinhand.c?rev=32170&r1=32169&r2=32170&view=diff
==============================================================================
--- trunk/server/stdinhand.c    (original)
+++ trunk/server/stdinhand.c    Thu Mar  3 18:40:40 2016
@@ -3575,9 +3575,10 @@
     legitimate but has inconsistencies) and would lead to a broken server
     afterwards.
 **************************************************************************/
-bool load_command(struct connection *caller, const char *filename, bool check)
-{
-  struct timer *loadtimer, *uloadtimer;  
+bool load_command(struct connection *caller, const char *filename, bool check,
+                  bool cmdline_load)
+{
+  struct timer *loadtimer, *uloadtimer;
   struct section_file *file;
   char arg[MAX_LEN_PATH];
   struct conn_list *global_observers;
@@ -3612,10 +3613,26 @@
     const char **ext, *found = NULL;
     const struct strvec **path;
 
+    if (cmdline_load) {
+      /* Allow plain names being loaded with '--file' option, but not otherwise
+       * (no loading of arbitrary files by unauthorized users)
+       * Iterate through ALL paths to check for file with plain name before
+       * looking any path with an extension, i.e., prefer plain name file
+       * in later directory over file with extension in name in earlier
+       * directory. */
+      for (path = pathes; !found && *path; path++) {
+        found = fileinfoname(*path, filename);
+        if (found != NULL) {
+          sz_strlcpy(arg, found);
+        }
+      }
+    }
+
     for (path = pathes; !found && *path; path++) {
       for (ext = exts; !found && *ext; ext++) {
         fc_snprintf(testfile, sizeof(testfile), "%s.%s", filename, *ext);
-        if ((found = fileinfoname(*path, testfile))) {
+        found = fileinfoname(*path, testfile);
+        if (found != NULL) {
           sz_strlcpy(arg, found);
         }
       }
@@ -4245,7 +4262,7 @@
   case CMD_SCENSAVE:
     return scensave_command(caller, arg, check);
   case CMD_LOAD:
-    return load_command(caller, arg, check);
+    return load_command(caller, arg, check, FALSE);
   case CMD_METAPATCHES:
     return metapatches_command(caller, arg, check);
   case CMD_METAMESSAGE:

Modified: trunk/server/stdinhand.h
URL: 
http://svn.gna.org/viewcvs/freeciv/trunk/server/stdinhand.h?rev=32170&r1=32169&r2=32170&view=diff
==============================================================================
--- trunk/server/stdinhand.h    (original)
+++ trunk/server/stdinhand.h    Thu Mar  3 18:40:40 2016
@@ -1,4 +1,4 @@
-/********************************************************************** 
+/**********************************************************************
  Freeciv - Copyright (C) 1996 - A Kjeldberg, L Gregersen, P Unold
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -51,7 +51,7 @@
                                        char *buf, size_t buflen);
 
 bool load_command(struct connection *caller,
-                 const char *filename, bool check);
+                  const char *filename, bool check, bool cmdline_load);
 bool start_command(struct connection *caller, bool check, bool notify);
 
 void toggle_ai_player_direct(struct connection *caller,


_______________________________________________
Freeciv-commits mailing list
Freeciv-commits@gna.org
https://mail.gna.org/listinfo/freeciv-commits