0xf8/pollymc
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(Inst.Import): don't allow bad file path in mrpack import

Browse Source 
This checks the URL of the path of the file to be downloaded,
ensuring that it always contains the root .minecraft target folder,
following the warning in the mrpack documentation.

Signed-off-by: flow <flowlnlnln@gmail.com>
This commit is contained in:
flow 2023-01-31 10:28:39 -03:00
parent deed49574a
commit 435273e08a
No known key found for this signature in database
GPG Key ID: 8D0F221F0A59F469
1 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
launcher/modplatform/modrinth/ModrinthInstanceCreationTask.cpp
View File

@ -225,10 +225,19 @@ bool ModrinthCreationTask::createInstance()
m_files_job.reset(new NetJob(tr("Mod download"), APPLICATION->network())); m_files_job.reset(new NetJob(tr("Mod download"), APPLICATION->network()));
auto root_modpack_path = FS::PathCombine(m_stagingPath, ".minecraft");
auto root_modpack_url = QUrl::fromLocalFile(root_modpack_path);
for (auto file : m_files) { for (auto file : m_files) {
auto path = FS::PathCombine(m_stagingPath, ".minecraft", file.path); auto file_path = FS::PathCombine(root_modpack_path, file.path);
qDebug() << "Will try to download" << file.downloads.front() << "to" << path; if (!root_modpack_url.isParentOf(QUrl::fromLocalFile(file_path))) {
auto dl = Net::Download::makeFile(file.downloads.dequeue(), path); // This means we somehow got out of the root folder, so abort here to prevent exploits
setError(tr("One of the files has a path that leads to an arbitrary location (%1). This is a security risk and isn't allowed.").arg(file.path));
return false;
}
qDebug() << "Will try to download" << file.downloads.front() << "to" << file_path;
auto dl = Net::Download::makeFile(file.downloads.dequeue(), file_path);
dl->addValidator(new Net::ChecksumValidator(file.hashAlgorithm, file.hash)); dl->addValidator(new Net::ChecksumValidator(file.hashAlgorithm, file.hash));
m_files_job->addNetAction(dl); m_files_job->addNetAction(dl);
@ -236,8 +245,8 @@ bool ModrinthCreationTask::createInstance()
// FIXME: This really needs to be put into a ConcurrentTask of // FIXME: This really needs to be put into a ConcurrentTask of
// MultipleOptionsTask's , once those exist :) // MultipleOptionsTask's , once those exist :)
auto param = dl.toWeakRef(); auto param = dl.toWeakRef();
connect(dl.get(), &NetAction::failed, [this, &file, path, param] { connect(dl.get(), &NetAction::failed, [this, &file, file_path, param] {
auto ndl = Net::Download::makeFile(file.downloads.dequeue(), path); auto ndl = Net::Download::makeFile(file.downloads.dequeue(), file_path);
ndl->addValidator(new Net::ChecksumValidator(file.hashAlgorithm, file.hash)); ndl->addValidator(new Net::ChecksumValidator(file.hashAlgorithm, file.hash));
m_files_job->addNetAction(ndl); m_files_job->addNetAction(ndl);
if (auto shared = param.lock()) shared->succeeded(); if (auto shared = param.lock()) shared->succeeded();