piwalker/dolphin
1
0
Fork 0
mirror of https://github.com/dolphin-emu/dolphin.git synced 2025-07-29 17:19:44 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4472 from JosJuice/revert-absolute-path

Browse Source 
IOS HLE: Replace broken path traversal prevention
This commit is contained in:
JosJuice
2016-11-29 18:34:22 +01:00
committed by GitHub
parent 97ebb02a07 0c6fd47460
commit 3cfc49a613
15 changed files with 234 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
Source/Core/Core/HW/GCMemcard.h
View File

@ -157,24 +157,7 @@ struct DEntry
{
std::string filename = std::string((char*)Makercode, 2) + '-' +
std::string((char*)Gamecode, 4) + '-' + (char*)Filename + ".gci";
static Common::replace_v replacements;
if (replacements.size() == 0)
{
Common::ReadReplacements(replacements);
// Cannot add \r to replacements file due to it being a line ending char
// / might be ok, but we need to verify that this is only used on filenames
// as it is a dir_sep
replacements.push_back(std::make_pair('\r', std::string("__0d__")));
replacements.push_back(std::make_pair('/', std::string("__2f__")));
}
// Replaces chars that FAT32 can't support with strings defined in /sys/replace
for (auto& replacement : replacements)
{
for (size_t j = 0; (j = filename.find(replacement.first, j)) != filename.npos; ++j)
filename.replace(j, 1, replacement.second);
}
return filename;
return Common::EscapeFileName(filename);
}
u8 Gamecode[4]; // 0x00 0x04 Gamecode

23
Source/Core/Core/HW/WiiSaveCrypted.cpp
View File

@ -30,8 +30,6 @@
#include "Core/HW/WiiSaveCrypted.h"
static Common::replace_v replacements;
const u8 CWiiSaveCrypted::s_sd_key[16] = {0xAB, 0x01, 0xB9, 0xD8, 0xE1, 0x62, 0x2B, 0x08,
0xAF, 0xBA, 0xD8, 0x4D, 0xBF, 0xC2, 0xA5, 0x5D};
const u8 CWiiSaveCrypted::s_md5_blanker[16] = {0x0E, 0x65, 0x37, 0x81, 0x99, 0xBE, 0x45, 0x17,
@ -102,7 +100,6 @@ void CWiiSaveCrypted::ExportAllSaves()
CWiiSaveCrypted::CWiiSaveCrypted(const std::string& filename, u64 title_id)
: m_encrypted_save_path(filename), m_title_id(title_id)
{
Common::ReadReplacements(replacements);
memcpy(m_sd_iv, "\x21\x67\x12\xE6\xAA\x1F\x68\x9F\x95\xC5\xA2\x23\x24\xDC\x6A\x98", 0x10);
if (!title_id) // Import
@ -340,12 +337,8 @@ void CWiiSaveCrypted::ImportWiiSaveFiles()
}
else
{
std::string filename((char*)file_hdr_tmp.name);
for (const Common::replace_t& replacement : replacements)
{
for (size_t j = 0; (j = filename.find(replacement.first, j)) != filename.npos; ++j)
filename.replace(j, 1, replacement.second);
}
std::string filename =
Common::EscapeFileName(reinterpret_cast<const char*>(file_hdr_tmp.name));
std::string file_path_full = m_wii_title_path + filename;
File::CreateFullPath(file_path_full);
@ -388,7 +381,6 @@ void CWiiSaveCrypted::ExportWiiSaveFiles()
for (u32 i = 0; i < m_files_list_size; i++)
{
FileHDR file_hdr_tmp;
std::string name;
memset(&file_hdr_tmp, 0, FILE_HDR_SZ);
u32 file_size = 0;
@ -407,15 +399,8 @@ void CWiiSaveCrypted::ExportWiiSaveFiles()
file_hdr_tmp.size = Common::swap32(file_size);
file_hdr_tmp.Permissions = 0x3c;
name = m_files_list[i].substr(m_wii_title_path.length() + 1);
for (const Common::replace_t& repl : replacements)
{
for (size_t j = 0; (j = name.find(repl.second, j)) != name.npos; ++j)
{
name.replace(j, repl.second.length(), 1, repl.first);
}
}
std::string name =
Common::UnescapeFileName(m_files_list[i].substr(m_wii_title_path.length() + 1));
if (name.length() > 0x44)
{

10
Source/Core/Core/IPC_HLE/WII_IPC_HLE.cpp
View File

@ -441,7 +441,7 @@ void ExecuteCommand(u32 address)
result = IWII_IPC_HLE_Device::GetDefaultReply();
}
}
else
else if (device_name.find('/') == 0)
{
device = CreateFileIO(DeviceID, device_name);
result = device->Open(address, Mode);
@ -449,9 +449,13 @@ void ExecuteCommand(u32 address)
DEBUG_LOG(WII_IPC_FILEIO, "IOP: Open File (Device=%s, ID=%08x, Mode=%i)",
device->GetDeviceName().c_str(), DeviceID, Mode);
if (Memory::Read_U32(address + 4) == (u32)DeviceID)
{
s_fdmap[DeviceID] = device;
}
}
else
{
WARN_LOG(WII_IPC_HLE, "Invalid device: %s", device_name.c_str());
Memory::Write_U32(FS_ENOENT, address + 4);
result = IWII_IPC_HLE_Device::GetDefaultReply();
}
}
else

43
Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_FileIO.cpp
View File

@ -7,55 +7,27 @@
#include <memory>
#include <utility>
#include "Common/Assert.h"
#include "Common/ChunkFile.h"
#include "Common/CommonTypes.h"
#include "Common/FileUtil.h"
#include "Common/Logging/Log.h"
#include "Common/MsgHandler.h"
#include "Common/NandPaths.h"
#include "Core/HW/Memmap.h"
#include "Core/IPC_HLE/WII_IPC_HLE.h"
#include "Core/IPC_HLE/WII_IPC_HLE_Device_FileIO.h"
#include "Core/IPC_HLE/WII_IPC_HLE_Device_fs.h"
static Common::replace_v replacements;
static std::map<std::string, std::weak_ptr<File::IOFile>> openFiles;
// This is used by several of the FileIO and /dev/fs functions
std::string HLE_IPC_BuildFilename(std::string path_wii)
std::string HLE_IPC_BuildFilename(const std::string& wii_path)
{
// Replaces chars that FAT32 can't support with strings defined in /sys/replace
for (auto& replacement : replacements)
{
for (size_t j = 0; (j = path_wii.find(replacement.first, j)) != path_wii.npos; ++j)
path_wii.replace(j, 1, replacement.second);
}
std::string nand_path = File::GetUserPath(D_SESSION_WIIROOT_IDX);
if (wii_path.compare(0, 1, "/") == 0)
return nand_path + Common::EscapePath(wii_path);
const std::string root_path = File::GetUserPath(D_SESSION_WIIROOT_IDX);
const std::string full_path = root_path + path_wii;
const std::string absolute_root_path = File::GetAbsolutePath(root_path);
const std::string absolute_full_path = File::GetAbsolutePath(full_path);
if (absolute_root_path.empty() || absolute_full_path.empty())
{
PanicAlert("IOS HLE: Couldn't get an absolute path; the root directory will be returned. "
"This will most likely lead to failures.");
return root_path;
}
if (path_wii.empty() || path_wii[0] != '/' ||
absolute_full_path.compare(0, absolute_root_path.size(), absolute_root_path) != 0)
{
// Prevent the emulated system from accessing files that aren't in the NAND directory.
// (Emulated software that tries to exploit Dolphin might access a path like "/../..".)
WARN_LOG(WII_IPC_FILEIO,
"The emulated software tried to access a file outside of the NAND directory: %s",
absolute_full_path.c_str());
return root_path;
}
return full_path;
_assert_(false);
return nand_path;
}
void HLE_IPC_CreateVirtualFATFilesystem()
@ -97,7 +69,6 @@ CWII_IPC_HLE_Device_FileIO::CWII_IPC_HLE_Device_FileIO(u32 device_id,
const std::string& device_name)
: IWII_IPC_HLE_Device(device_id, device_name, false) // not a real hardware
{
Common::ReadReplacements(replacements);
}
CWII_IPC_HLE_Device_FileIO::~CWII_IPC_HLE_Device_FileIO()

2
Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_FileIO.h
View File

@ -18,7 +18,7 @@ namespace File
class IOFile;
}
std::string HLE_IPC_BuildFilename(std::string _pFilename);
std::string HLE_IPC_BuildFilename(const std::string& wii_path);
void HLE_IPC_CreateVirtualFATFilesystem();
class CWII_IPC_HLE_Device_FileIO : public IWII_IPC_HLE_Device

90
Source/Core/Core/IPC_HLE/WII_IPC_HLE_Device_fs.cpp
View File

@ -22,12 +22,14 @@
#include "Core/IPC_HLE/WII_IPC_HLE_Device_FileIO.h"
#include "Core/IPC_HLE/WII_IPC_HLE_Device_fs.h"
static Common::replace_v replacements;
static bool IsValidWiiPath(const std::string& path)
{
return path.compare(0, 1, "/") == 0;
}
CWII_IPC_HLE_Device_fs::CWII_IPC_HLE_Device_fs(u32 _DeviceID, const std::string& _rDeviceName)
: IWII_IPC_HLE_Device(_DeviceID, _rDeviceName)
{
Common::ReadReplacements(replacements);
}
CWII_IPC_HLE_Device_fs::~CWII_IPC_HLE_Device_fs()
@ -96,9 +98,18 @@ IPCCommandResult CWII_IPC_HLE_Device_fs::IOCtlV(u32 _CommandAddress)
{
case IOCTLV_READ_DIR:
{
const std::string relative_path =
Memory::GetString(CommandBuffer.InBuffer[0].m_Address, CommandBuffer.InBuffer[0].m_Size);
if (!IsValidWiiPath(relative_path))
{
WARN_LOG(WII_IPC_FILEIO, "Not a valid path: %s", relative_path.c_str());
ReturnValue = FS_RESULT_FATAL;
break;
}
// the Wii uses this function to define the type (dir or file)
std::string DirName(HLE_IPC_BuildFilename(
Memory::GetString(CommandBuffer.InBuffer[0].m_Address, CommandBuffer.InBuffer[0].m_Size)));
std::string DirName(HLE_IPC_BuildFilename(relative_path));
INFO_LOG(WII_IPC_FILEIO, "FS: IOCTL_READ_DIR %s", DirName.c_str());
@ -132,10 +143,9 @@ IPCCommandResult CWII_IPC_HLE_Device_fs::IOCtlV(u32 _CommandAddress)
{
for (File::FSTEntry& child : entry.children)
{
// Decode entities of invalid file system characters so that
// games (such as HP:HBP) will be able to find what they expect.
for (const Common::replace_t& r : replacements)
child.virtualName = ReplaceAll(child.virtualName, r.second, {r.first});
// Decode escaped invalid file system characters so that games (such as
// Harry Potter and the Half-Blood Prince) can find what they expect.
child.virtualName = Common::UnescapeFileName(child.virtualName);
}
std::sort(entry.children.begin(), entry.children.end(),
@ -181,6 +191,14 @@ IPCCommandResult CWII_IPC_HLE_Device_fs::IOCtlV(u32 _CommandAddress)
// It should be correct, but don't count on it...
std::string relativepath =
Memory::GetString(CommandBuffer.InBuffer[0].m_Address, CommandBuffer.InBuffer[0].m_Size);
if (!IsValidWiiPath(relativepath))
{
WARN_LOG(WII_IPC_FILEIO, "Not a valid path: %s", relativepath.c_str());
ReturnValue = FS_RESULT_FATAL;
break;
}
std::string path(HLE_IPC_BuildFilename(relativepath));
u32 fsBlocks = 0;
u32 iNodes = 0;
@ -295,7 +313,13 @@ s32 CWII_IPC_HLE_Device_fs::ExecuteCommand(u32 _Parameter, u32 _BufferIn, u32 _B
Addr += 4;
u16 GroupID = Memory::Read_U16(Addr);
Addr += 2;
std::string DirName(HLE_IPC_BuildFilename(Memory::GetString(Addr, 64)));
const std::string wii_path = Memory::GetString(Addr, 64);
if (!IsValidWiiPath(wii_path))
{
WARN_LOG(WII_IPC_FILEIO, "Not a valid path: %s", wii_path.c_str());
return FS_RESULT_FATAL;
}
std::string DirName(HLE_IPC_BuildFilename(wii_path));
Addr += 64;
Addr += 9; // owner attribs, permission
u8 Attribs = Memory::Read_U8(Addr);
@ -320,7 +344,13 @@ s32 CWII_IPC_HLE_Device_fs::ExecuteCommand(u32 _Parameter, u32 _BufferIn, u32 _B
Addr += 4;
u16 GroupID = Memory::Read_U16(Addr);
Addr += 2;
std::string Filename = HLE_IPC_BuildFilename(Memory::GetString(_BufferIn, 64));
const std::string wii_path = Memory::GetString(_BufferIn, 64);
if (!IsValidWiiPath(wii_path))
{
WARN_LOG(WII_IPC_FILEIO, "Not a valid path: %s", wii_path.c_str());
return FS_RESULT_FATAL;
}
std::string Filename = HLE_IPC_BuildFilename(wii_path);
Addr += 64;
u8 OwnerPerm = Memory::Read_U8(Addr);
Addr += 1;
@ -352,7 +382,13 @@ s32 CWII_IPC_HLE_Device_fs::ExecuteCommand(u32 _Parameter, u32 _BufferIn, u32 _B
u32 OwnerID = 0;
u16 GroupID = 0x3031; // this is also known as makercd, 01 (0x3031) for nintendo and 08
// (0x3038) for MH3 etc
std::string Filename = HLE_IPC_BuildFilename(Memory::GetString(_BufferIn, 64));
const std::string wii_path = Memory::GetString(_BufferIn, 64);
if (!IsValidWiiPath(wii_path))
{
WARN_LOG(WII_IPC_FILEIO, "Not a valid path: %s", wii_path.c_str());
return FS_RESULT_FATAL;
}
std::string Filename = HLE_IPC_BuildFilename(wii_path);
u8 OwnerPerm = 0x3; // read/write
u8 GroupPerm = 0x3; // read/write
u8 OtherPerm = 0x3; // read/write
@ -405,7 +441,13 @@ s32 CWII_IPC_HLE_Device_fs::ExecuteCommand(u32 _Parameter, u32 _BufferIn, u32 _B
_dbg_assert_(WII_IPC_FILEIO, _BufferOutSize == 0);
int Offset = 0;
std::string Filename = HLE_IPC_BuildFilename(Memory::GetString(_BufferIn + Offset, 64));
const std::string wii_path = Memory::GetString(_BufferIn + Offset, 64);
if (!IsValidWiiPath(wii_path))
{
WARN_LOG(WII_IPC_FILEIO, "Not a valid path: %s", wii_path.c_str());
return FS_RESULT_FATAL;
}
std::string Filename = HLE_IPC_BuildFilename(wii_path);
Offset += 64;
if (File::Delete(Filename))
{
@ -429,10 +471,22 @@ s32 CWII_IPC_HLE_Device_fs::ExecuteCommand(u32 _Parameter, u32 _BufferIn, u32 _B
_dbg_assert_(WII_IPC_FILEIO, _BufferOutSize == 0);
int Offset = 0;
std::string Filename = HLE_IPC_BuildFilename(Memory::GetString(_BufferIn + Offset, 64));
const std::string wii_path = Memory::GetString(_BufferIn + Offset, 64);
if (!IsValidWiiPath(wii_path))
{
WARN_LOG(WII_IPC_FILEIO, "Not a valid path: %s", wii_path.c_str());
return FS_RESULT_FATAL;
}
std::string Filename = HLE_IPC_BuildFilename(wii_path);
Offset += 64;
std::string FilenameRename = HLE_IPC_BuildFilename(Memory::GetString(_BufferIn + Offset, 64));
const std::string wii_path_rename = Memory::GetString(_BufferIn + Offset, 64);
if (!IsValidWiiPath(wii_path_rename))
{
WARN_LOG(WII_IPC_FILEIO, "Not a valid path: %s", wii_path_rename.c_str());
return FS_RESULT_FATAL;
}
std::string FilenameRename = HLE_IPC_BuildFilename(wii_path_rename);
Offset += 64;
// try to make the basis directory
@ -469,7 +523,13 @@ s32 CWII_IPC_HLE_Device_fs::ExecuteCommand(u32 _Parameter, u32 _BufferIn, u32 _B
Addr += 4;
u16 GroupID = Memory::Read_U16(Addr);
Addr += 2;
std::string Filename(HLE_IPC_BuildFilename(Memory::GetString(Addr, 64)));
const std::string wii_path = Memory::GetString(Addr, 64);
if (!IsValidWiiPath(wii_path))
{
WARN_LOG(WII_IPC_FILEIO, "Not a valid path: %s", wii_path.c_str());
return FS_RESULT_FATAL;
}
std::string Filename(HLE_IPC_BuildFilename(wii_path));
Addr += 64;
u8 OwnerPerm = Memory::Read_U8(Addr);
Addr++;