phaneron/Kelsidavis-WoWee
1
0
Fork 0
mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-05-06 17:13:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

fix(editor): texture exporter rejects path-traversal in source M2/WMO texture paths

Browse source 
Texture paths come from M2/WMO files which a malicious zone author
could craft to include '..' or absolute paths. Without this check,
exporting such a zone would write PNGs outside outputDir/textures/
and clobber sibling export files.
This commit is contained in:
Kelsi 2026-05-06 06:12:11 -07:00
parent b5a9ce7816
commit bbfc364119
1 changed files with 8 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tools/editor/texture_exporter.cpp
View file

@ -117,6 +117,14 @@ int TextureExporter::exportTexturesAsPng(pipeline::AssetManager* am,
if (dotPos != std::string::npos)
outPath = outPath.substr(0, dotPos) + ".png";
// Reject path-traversal attempts in the source path. Texture paths
// come from M2/WMO files which a malicious zone could craft.
if (outPath.find("..") != std::string::npos ||
(!outPath.empty() && (outPath[0] == '/' || outPath[0] == '\\'))) {
LOG_WARNING("Texture path rejected (traversal attempt): ", texPath);
continue;
}
std::string fullPath = outputDir + "/" + outPath;
fs::create_directories(fs::path(fullPath).parent_path());