From 9108fef7018010e6b49a111856ca0553333804f8 Mon Sep 17 00:00:00 2001 From: lda Date: Sun, 26 May 2024 15:31:14 -0500 Subject: [PATCH] Fix inconsistent sanitation with the database (#32) Cytoplasm's Db currently doesn't sanitate database entries consistently, and this PR should be a quick fix for this. Reviewed-on: https://git.telodendria.io/Telodendria/Cytoplasm/pulls/32 Co-authored-by: lda Co-committed-by: lda --- src/Db.c | 35 ++++++++++++++++++++++------------- 1 file changed, 22 insertions(+), 13 deletions(-) diff --git a/src/Db.c b/src/Db.c index 22456ac..4128a89 100644 --- a/src/Db.c +++ b/src/Db.c @@ -218,19 +218,38 @@ DbHashKey(Array * args) return str; } +static char +DbSanitiseChar(char input) +{ + switch (input) + { + case '/': + return '_'; + case '.': + return '-'; + } + return input; +} + static char * DbDirName(Db * db, Array * args, size_t strip) { - size_t i; + size_t i, j; char *str = StrConcat(2, db->dir, "/"); for (i = 0; i < ArraySize(args) - strip; i++) { char *tmp; + char *sanitise = StrDuplicate(ArrayGet(args, i)); + for (j = 0; j < strlen(sanitise); j++) + { + sanitise[j] = DbSanitiseChar(sanitise[j]); + } - tmp = StrConcat(3, str, ArrayGet(args, i), "/"); + tmp = StrConcat(3, str, sanitise, "/"); Free(str); + Free(sanitise); str = tmp; } @@ -253,17 +272,7 @@ DbFileName(Db * db, Array * args) /* Sanitize name to prevent directory traversal attacks */ while (arg[j]) { - switch (arg[j]) - { - case '/': - arg[j] = '_'; - break; - case '.': - arg[j] = '-'; - break; - default: - break; - } + arg[j] = DbSanitiseChar(arg[j]); j++; }