phaneron/Kelsidavis-WoWee
1
0
Fork 0
mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-05-08 01:53:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

fix(wom+wob): reject path traversal in WOM texture paths + WOB material/group texPaths

Browse source 
Same defensive check as the WoB doodad path guard. Texture paths from
hostile WOM/WoB are passed to the asset manager; '..' or absolute paths
could probe outside the assets/ tree. Now cleared on detection — slot
survives but loads no texture (renderer falls back to white).

Single shared rejectTraversal lambda in WoB to avoid copy-paste.
This commit is contained in:
Kelsi 2026-05-06 06:16:54 -07:00
parent c4463ba96e
commit 719951976d
2 changed files with 19 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/pipeline/wowee_model.cpp
View file

@ -113,6 +113,14 @@ WoweeModel WoweeModelLoader::load(const std::string& basePath) {
if (pathLen > 1024) { pathLen = 0; }
std::string path(pathLen, '\0');
f.read(path.data(), pathLen);
// Reject path-traversal — texture paths from a hostile WOM are fed
// to the asset manager and could probe files outside assets/.
if (path.find("..") != std::string::npos ||
(!path.empty() && (path[0] == '/' || path[0] == '\\')) ||
(path.size() >= 2 && path[1] == ':')) {
LOG_WARNING("WOM texture path rejected (traversal): ", path);
path.clear();
}
model.texturePaths.push_back(path);
}