Summary: Rationalise "safe" save names
Submitted by: jtn
Submitted on: Sun Jul 15 13:34:45 2012
Severity: 3 - Normal
Priority: 5 - Normal
Assigned to: None
Discussion Lock: Any
Operating System: Any
The "savename" server setting uses the function is_safe_filename() to decide
whether it's going to allow the filename.
In patch #2883 we got the Lua function save(), which has its own, different
safety checking (see api_server_save()).
(The server "/save" command is only allowed for "hack" connections, so has no
It's difficult to know for sure with the threat models so murky, but probably
the Lua one should use is_safe_filename() too?
(Matthias did ask in the original Lua patch if there was "a function in the
freeciv code which could be reused", which no-one including me answered at the
Reply to this item at:
Message sent via/by Gna!
Freeciv-dev mailing list