Reject filenames with slashes completly

author: Dominik Schürmann <dominik@dominikschuermann.de> 2015-09-24 23:32:51 +0200
committer: Dominik Schürmann <dominik@dominikschuermann.de> 2015-09-24 23:32:51 +0200
commit: 21b83d8fa483eb3d911e7475663a7cb36e4170a0 (patch)
tree: abf4676f709f0419b3f7a84a8217aa660b5616e5 /OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerifyOperation.java
parent: 756ee28fb0bfb63f1d013d6b82bedc13c811b32f (diff)
download: open-keychain-21b83d8fa483eb3d911e7475663a7cb36e4170a0.tar.gz
open-keychain-21b83d8fa483eb3d911e7475663a7cb36e4170a0.tar.bz2
open-keychain-21b83d8fa483eb3d911e7475663a7cb36e4170a0.zip
1 files changed, 5 insertions, 4 deletions
diff --git a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerifyOperation.java b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerifyOperation.java
index 007f686e8..36b4f5e1e 100644
--- a/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerifyOperation.java
+++ b/OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerifyOperation.java
@@ -52,13 +52,13 @@ import org.sufficientlysecure.keychain.Constants;
 import org.sufficientlysecure.keychain.Constants.key;
 import org.sufficientlysecure.keychain.R;
 import org.sufficientlysecure.keychain.operations.BaseOperation;
+import org.sufficientlysecure.keychain.operations.results.DecryptVerifyResult;
+import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType;
+import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog;
 import org.sufficientlysecure.keychain.pgp.CanonicalizedSecretKey.SecretKeyType;
 import org.sufficientlysecure.keychain.pgp.exception.PgpGeneralException;
 import org.sufficientlysecure.keychain.provider.KeychainContract.KeyRings;
 import org.sufficientlysecure.keychain.provider.ProviderHelper;
-import org.sufficientlysecure.keychain.operations.results.DecryptVerifyResult;
-import org.sufficientlysecure.keychain.operations.results.OperationResult.LogType;
-import org.sufficientlysecure.keychain.operations.results.OperationResult.OperationLog;
 import org.sufficientlysecure.keychain.service.input.CryptoInputParcel;
 import org.sufficientlysecure.keychain.service.input.RequiredInputParcel;
 import org.sufficientlysecure.keychain.ui.util.KeyFormattingUtils;
@@ -512,8 +512,9 @@ public class PgpDecryptVerifyOperation extends BaseOperation<PgpDecryptVerifyInp
         PGPLiteralData literalData = (PGPLiteralData) dataChunk;
 
         String originalFilename = literalData.getFileName();
+        // reject filenames with slashes completely (path traversal issue)
         if (originalFilename.contains("/")) {
-            originalFilename = originalFilename.substring(originalFilename.lastIndexOf('/'));
+            originalFilename = "";
         }
         String mimeType = null;
         if (literalData.getFormat() == PGPLiteralData.TEXT
author	Dominik Schürmann <dominik@dominikschuermann.de>	2015-09-24 23:32:51 +0200
committer	Dominik Schürmann <dominik@dominikschuermann.de>	2015-09-24 23:32:51 +0200
commit	21b83d8fa483eb3d911e7475663a7cb36e4170a0 (patch)
tree	abf4676f709f0419b3f7a84a8217aa660b5616e5 /OpenKeychain/src/main/java/org/sufficientlysecure/keychain/pgp/PgpDecryptVerifyOperation.java
parent	756ee28fb0bfb63f1d013d6b82bedc13c811b32f (diff)
download	open-keychain-21b83d8fa483eb3d911e7475663a7cb36e4170a0.tar.gz open-keychain-21b83d8fa483eb3d911e7475663a7cb36e4170a0.tar.bz2 open-keychain-21b83d8fa483eb3d911e7475663a7cb36e4170a0.zip