https://gitlab.synchro.net/main/sbbs/-/commit/93b4d946cc12ad15f15773af
Modified Files:
src/sbbs3/js_filebase.c js_msgbase.c
Log Message:
Security improvements to MsgBase and FileBase constructors
Require an initial 'true' parameter before treating the string argument to
the constructor as a path/filename to a msg/file base.
As Deuce discovered, not all scripts (e.g. the legacy/runemaster web UI) do
a good job of validating client/user-supplied parameters to these constructors so a sysop can end up with some unexplained and suspicious-looking SMB files (e.g. *.sid, *.shd, *.sdt) in their ctrl directory (or possibly, but hopefully not, somewhere else).
So the old "feature" of supporting an arbitrary msg or filebase path passed to the constructor now requires a unique calling pattern so this shouldn't be
a problem from now on.
Also, it appears the arbitrary FileBase creation/opening didn't really work anyway, so that's now fixed.
Also, do a better job of validating an arbitrary *base path and filename so that malicious(looking) filenames won't be created, ever, using these
classes.
And improve the exception/error messages and JSDOCs.
--- SBBSecho 3.29-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)