Bug 1574139: Fix an issue that prevented updates from completing if usernames contained a dot at the end of the username and general hardening of our file path verification. r=mhowell

Differential Revision: https://phabricator.services.mozilla.com/D71607
2020-04-20 20:18:37 +00:00 · 2020-04-20 20:18:37 +00:00 · 2cd9e294ac
--- a/toolkit/mozapps/update/common/updatecommon.cpp
+++ b/toolkit/mozapps/update/common/updatecommon.cpp
@ -307,8 +307,17 @@ bool IsValidFullPath(NS_tchar* origFullPath) {
  }

  // The path must not traverse directories
-  if (NS_tstrstr(origFullPath, NS_T("..")) != nullptr ||
-      NS_tstrstr(origFullPath, NS_T("./")) != nullptr) {
+  if (NS_tstrstr(origFullPath, NS_T("/../")) != nullptr) {
+    return false;
+  }
+
+  // The path shall not have a path traversal suffix
+  const NS_tchar invalidSuffix[] = NS_T("/..");
+  size_t pathLen = NS_tstrlen(origFullPath);
+  size_t invalidSuffixLen = NS_tstrlen(invalidSuffix);
+  if (invalidSuffixLen <= pathLen &&
+      NS_tstrncmp(origFullPath + pathLen - invalidSuffixLen, invalidSuffix,
+                  invalidSuffixLen) == 0) {
    return false;
  }
 #endif
--- a/toolkit/mozapps/update/common/updatedefines.h
+++ b/toolkit/mozapps/update/common/updatedefines.h
@ -69,6 +69,7 @@ static inline int mywcsprintf(WCHAR* dest, size_t count, const WCHAR* fmt,
 #  define NS_tstrcat wcscat
 #  define NS_tstrcmp wcscmp
 #  define NS_tstricmp wcsicmp
+#  define NS_tstrncmp wcsncmp
 #  define NS_tstrcpy wcscpy
 #  define NS_tstrncpy wcsncpy
 #  define NS_tstrlen wcslen
@ -116,6 +117,7 @@ static inline int mywcsprintf(WCHAR* dest, size_t count, const WCHAR* fmt,
 #  define NS_tstrcat strcat
 #  define NS_tstrcmp strcmp
 #  define NS_tstricmp strcasecmp
+#  define NS_tstrncmp strncmp
 #  define NS_tstrcpy strcpy
 #  define NS_tstrncpy strncpy
 #  define NS_tstrlen strlen
--- a/toolkit/mozapps/update/updater/launchchild_osx.mm
+++ b/toolkit/mozapps/update/updater/launchchild_osx.mm
@ -66,9 +66,9 @@ void LaunchMacPostProcess(const char* aAppBundle) {
  }

  // The path must not traverse directories and it must be a relative path.
-  if ([exeRelPath rangeOfString:@".."].location != NSNotFound ||
-      [exeRelPath rangeOfString:@"./"].location != NSNotFound ||
-      [exeRelPath rangeOfString:@"/"].location == 0) {
+  if ([exeRelPath isEqualToString:@".."] || [exeRelPath hasPrefix:@"/"] ||
+      [exeRelPath hasPrefix:@"../"] || [exeRelPath hasSuffix:@"/.."] ||
+      [exeRelPath containsString:@"/../"]) {
    return;
  }