commit 4973943157c2c1258e522ed183044dbc9e623863
author Gunnar Mills <gmills@us.ibm.com> Fri Apr 21 11:03:34 2017 -0500
committer Gunnar Mills <gmills@us.ibm.com> Thu Apr 27 02:43:43 2017 +0000
tree a1b46b8ef717ac0b8b0c2483e36c91babf64e52c
parent 3a482f67eb50cc9bd779dc8f3412e793b9b3cae9

Sanitize FileName string

For security reasons, the FileName string must be sanitized.
Resolves openbmc/openbmc#1331

Change-Id: I90aeda32421caf16e6919cffb71dd0450e4cf868
Signed-off-by: Gunnar Mills <gmills@us.ibm.com>

download_manager.cpp

diff --git a/download_manager.cpp b/download_manager.cpp
index fc217f0..d600cf4 100644
--- a/download_manager.cpp
+++ b/download_manager.cpp
@@ -4,6 +4,7 @@
 #include <sys/wait.h>
 #include <phosphor-logging/log.hpp>
 #include <experimental/filesystem>
+#include <algorithm>
 #include "config.h"
 #include <phosphor-logging/elog.hpp>
 #include <phosphor-logging/elog-errors.hpp>
@@ -21,9 +22,15 @@
 using namespace phosphor::logging;
 namespace fs = std::experimental::filesystem;
 
-void Download::downloadViaTFTP(const  std::string fileName,
-                               const  std::string serverAddress)
+void Download::downloadViaTFTP(std::string fileName,
+                               std::string serverAddress)
 {
+
+    // Sanitize the fileName string
+    fileName.erase(std::remove(fileName.begin(), fileName.end(), '/'),
+                   fileName.end());
+    fileName = fileName.substr(fileName.find_first_not_of('.'));
+
     if (fileName.empty())
     {
         log<level::ERR>("Error FileName is empty");