commit: fcde19e3fb1e7b10d4af5742bebb8109c7d911c4
parent cb6872cc9790ee2cd04f54ee762c23f5e48d9f4b
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date: Sun, 13 Mar 2022 00:43:35 +0100
uri: Remove access() check
Otherwise it was returning `NULL` and sending out the path of non-readable files
over HTTP (unencrypted) could be unintended.
Better to fail in a local path than be sorry.
Diffstat:
2 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/uri.c b/uri.c
@@ -26,11 +26,7 @@ badwolf_ensure_uri_scheme(const gchar *text, gboolean try_file)
if(path != NULL)
{
- /* flawfinder: ignore. only used as presence check, no way to pass file descriptor */
- if(access(path, R_OK) == 0)
- {
- f = g_strdup_printf("file://%s", path);
- }
+ f = g_strdup_printf("file://%s", path);
free(path);
diff --git a/uri_test.c b/uri_test.c
@@ -29,6 +29,8 @@ badwolf_ensure_uri_scheme_test(void)
{fallback, "", TRUE},
{"http:///dev/null", "/dev/null", FALSE},
{"file:///dev/null", "/dev/null", TRUE},
+ {"http:///root", "/root", FALSE},
+ {"file:///root", "/root", TRUE},
{"http:///usr/../dev/null", "/usr/../dev/null", FALSE},
{"file:///dev/null", "/usr/../dev/null", TRUE},
{"http://example.org", "example.org", FALSE},
