Sanitize FileName string
For security reasons, the FileName string must be sanitized.
Resolves openbmc/openbmc#1331
Change-Id: I90aeda32421caf16e6919cffb71dd0450e4cf868
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>
diff --git a/download_manager.cpp b/download_manager.cpp
index fc217f0..d600cf4 100644
--- a/download_manager.cpp
+++ b/download_manager.cpp
@@ -4,6 +4,7 @@
#include <sys/wait.h>
#include <phosphor-logging/log.hpp>
#include <experimental/filesystem>
+#include <algorithm>
#include "config.h"
#include <phosphor-logging/elog.hpp>
#include <phosphor-logging/elog-errors.hpp>
@@ -21,9 +22,15 @@
using namespace phosphor::logging;
namespace fs = std::experimental::filesystem;
-void Download::downloadViaTFTP(const std::string fileName,
- const std::string serverAddress)
+void Download::downloadViaTFTP(std::string fileName,
+ std::string serverAddress)
{
+
+ // Sanitize the fileName string
+ fileName.erase(std::remove(fileName.begin(), fileName.end(), '/'),
+ fileName.end());
+ fileName = fileName.substr(fileName.find_first_not_of('.'));
+
if (fileName.empty())
{
log<level::ERR>("Error FileName is empty");
diff --git a/download_manager.hpp b/download_manager.hpp
index b78dc4b..2ee03fb 100644
--- a/download_manager.hpp
+++ b/download_manager.hpp
@@ -36,8 +36,8 @@
* @param[in] fileName - The name of the file to transfer.
* @param[in] serverAddress - The TFTP Server IP Address.
**/
- void downloadViaTFTP(const std::string fileName,
- const std::string serverAddress) override;
+ void downloadViaTFTP(std::string fileName,
+ std::string serverAddress) override;
};
} // namespace manager