diff options
| author | flow <flowlnlnln@gmail.com> | 2023-01-31 10:28:39 -0300 |
|---|---|---|
| committer | flow <flowlnlnln@gmail.com> | 2023-02-02 17:11:24 -0300 |
| commit | 435273e08a3cf6cb8197acabb31b1d4889a87254 (patch) | |
| tree | 45f2484ad7c9d180d5cc74c9940c8ef6d72ee260 /launcher/modplatform/modrinth | |
| parent | deed49574ac344f126eed5fd71f7151c72ff79ac (diff) | |
| download | PrismLauncher-435273e08a3cf6cb8197acabb31b1d4889a87254.tar.gz PrismLauncher-435273e08a3cf6cb8197acabb31b1d4889a87254.tar.bz2 PrismLauncher-435273e08a3cf6cb8197acabb31b1d4889a87254.zip | |
fix(Inst.Import): don't allow bad file path in mrpack import
This checks the URL of the path of the file to be downloaded,
ensuring that it always contains the root .minecraft target folder,
following the warning in the mrpack documentation.
Signed-off-by: flow <flowlnlnln@gmail.com>
Diffstat (limited to 'launcher/modplatform/modrinth')
| -rw-r--r-- | launcher/modplatform/modrinth/ModrinthInstanceCreationTask.cpp | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/launcher/modplatform/modrinth/ModrinthInstanceCreationTask.cpp b/launcher/modplatform/modrinth/ModrinthInstanceCreationTask.cpp index 94c0bf77..6814e645 100644 --- a/launcher/modplatform/modrinth/ModrinthInstanceCreationTask.cpp +++ b/launcher/modplatform/modrinth/ModrinthInstanceCreationTask.cpp @@ -225,10 +225,19 @@ bool ModrinthCreationTask::createInstance() m_files_job.reset(new NetJob(tr("Mod download"), APPLICATION->network())); + auto root_modpack_path = FS::PathCombine(m_stagingPath, ".minecraft"); + auto root_modpack_url = QUrl::fromLocalFile(root_modpack_path); + for (auto file : m_files) { - auto path = FS::PathCombine(m_stagingPath, ".minecraft", file.path); - qDebug() << "Will try to download" << file.downloads.front() << "to" << path; - auto dl = Net::Download::makeFile(file.downloads.dequeue(), path); + auto file_path = FS::PathCombine(root_modpack_path, file.path); + if (!root_modpack_url.isParentOf(QUrl::fromLocalFile(file_path))) { + // This means we somehow got out of the root folder, so abort here to prevent exploits + setError(tr("One of the files has a path that leads to an arbitrary location (%1). This is a security risk and isn't allowed.").arg(file.path)); + return false; + } + + qDebug() << "Will try to download" << file.downloads.front() << "to" << file_path; + auto dl = Net::Download::makeFile(file.downloads.dequeue(), file_path); dl->addValidator(new Net::ChecksumValidator(file.hashAlgorithm, file.hash)); m_files_job->addNetAction(dl); @@ -236,8 +245,8 @@ bool ModrinthCreationTask::createInstance() // FIXME: This really needs to be put into a ConcurrentTask of // MultipleOptionsTask's , once those exist :) auto param = dl.toWeakRef(); - connect(dl.get(), &NetAction::failed, [this, &file, path, param] { - auto ndl = Net::Download::makeFile(file.downloads.dequeue(), path); + connect(dl.get(), &NetAction::failed, [this, &file, file_path, param] { + auto ndl = Net::Download::makeFile(file.downloads.dequeue(), file_path); ndl->addValidator(new Net::ChecksumValidator(file.hashAlgorithm, file.hash)); m_files_job->addNetAction(ndl); if (auto shared = param.lock()) shared->succeeded(); |