phaneron/Kelsidavis-WoWee
1
0
Fork 0
mirror of https://github.com/Kelsidavis/WoWee.git synced 2026-05-07 01:23:52 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

fix(wob): reject doodad paths with traversal/absolute components

Browse source 
Doodad model paths from a WoB are passed to the asset manager via
outModel.doodadNames. The asset manager only reads files, but '..' or
absolute paths from a hostile WoB could probe for files outside the
expected assets/ tree. Now clears the modelPath on traversal — the
doodad slot survives but loads no model.
This commit is contained in:
Kelsi 2026-05-06 06:14:22 -07:00
parent bbfc364119
commit c4463ba96e
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/pipeline/wowee_building.cpp
View file

@ -148,6 +148,16 @@ WoweeBuilding WoweeBuildingLoader::load(const std::string& basePath) {
if (pl > 1024) pl = 0;
dp.modelPath.resize(pl);
f.read(dp.modelPath.data(), pl);
// Reject path-traversal in doodad model paths — these end up in
// outModel.doodadNames and are passed to the asset manager. While
// the manager only reads files, '..' paths in custom_zones could
// probe for files outside the assets/ tree.
if (dp.modelPath.find("..") != std::string::npos ||
(!dp.modelPath.empty() && (dp.modelPath[0] == '/' || dp.modelPath[0] == '\\')) ||
(dp.modelPath.size() >= 2 && dp.modelPath[1] == ':')) {
LOG_WARNING("WOB doodad path rejected (traversal): ", dp.modelPath);
dp.modelPath.clear();
}
f.read(reinterpret_cast<char*>(&dp.position), 12);
f.read(reinterpret_cast<char*>(&dp.rotation), 12);
f.read(reinterpret_cast<char*>(&dp.scale), 4);