Update for widelands in stable
I've prepared an update for widelands in squeeze in response to
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624316
The security fix 1:15-3squeeze1 for bug #617960 introduced this extra
bug, so this fix should really have been part of that upload, and someone
also mentioned it in the bugreport, but I missed that email.
I'm attaching the debdiff, cheers.
diff -Nru widelands-15/debian/changelog widelands-15/debian/changelog
--- widelands-15/debian/changelog 2011-04-19 14:35:17.000000000 +0200
+++ widelands-15/debian/changelog 2011-08-17 21:14:53.000000000 +0200
@@ -1,3 +1,10 @@
+widelands (1:15-3squeeze2) stable; urgency=low
+
+ * Fix network play on official maps (bug introduced by patches/secfix-617960)
+ Added: patches/secfix-617960-aux (Closes: #624316)
+
+ -- Enrico Tassi <gareuselesinge@debian.org> Wed, 17 Aug 2011 21:12:34 +0200
+
widelands (1:15-3squeeze1) stable; urgency=high
* Closes a potential security issue in internet games.
diff -Nru widelands-15/debian/patches/secfix-617960-aux widelands-15/debian/patches/secfix-617960-aux
--- widelands-15/debian/patches/secfix-617960-aux 1970-01-01 01:00:00.000000000 +0100
+++ widelands-15/debian/patches/secfix-617960-aux 2011-08-17 21:11:22.000000000 +0200
@@ -0,0 +1,52 @@
+Index: widelands-15/src/io/filesystem/filesystem.cc
+===================================================================
+--- widelands-15.orig/src/io/filesystem/filesystem.cc 2011-08-17 21:10:55.000000000 +0200
++++ widelands-15/src/io/filesystem/filesystem.cc 2011-08-17 21:11:15.000000000 +0200
+@@ -100,25 +100,32 @@
+ * on locale OS.
+ */
+ std::string FileSystem::fixCrossFile(std::string path) {
+-#ifdef WIN32
+- // We simply keep it as it is and do not care about slashes - they will
+- // be replaced with backslashes in file read actions.
+- return path;
+-#else
+- std::string fixedpath(path);
+- std::string temp;
+ uint32_t path_size = path.size();
++ std::string fixedPath(path);
++ std::string temp;
+ for (uint32_t i = 0; i < path_size; ++i) {
+- temp = fixedpath.at(i);
++ temp = path.at(i);
++#ifdef WIN32
++ if (temp == "/")
++#else
+ if (temp == "\\")
+- fixedpath.at(i) = m_filesep;
+- // As a security measure, eat all dots and tildes away when file is
+- // tranferred over network.
+- if (temp == "." || temp == "~")
+- fixedpath.at(i) = '-';
+- }
+- return fixedpath;
+ #endif
++ fixedPath.at(i) = m_filesep;
++ // As a security measure, eat all:
++ // * tildes
++ // * double dots
++ // * dots with following slash/backslash (but not a single dot - we need it in e.g. "xyz.wmf")
++ // away to avoid misuse of the file transfer function.
++ if (temp == "~")
++ fixedPath.at(i) = '_';
++ if (temp == "." && (i + 1 < path_size)) {
++ std::string temp2;
++ temp2 = path.at(i + 1);
++ if (temp2 == "." || temp2 == "\\" || temp2 == "/")
++ fixedPath.at(i) = '_';
++ }
++ }
++ return fixedPath;
+ }
+
+ /**
diff -Nru widelands-15/debian/patches/series widelands-15/debian/patches/series
--- widelands-15/debian/patches/series 2011-04-19 12:35:23.000000000 +0200
+++ widelands-15/debian/patches/series 2011-08-17 21:10:44.000000000 +0200
@@ -1,2 +1,3 @@
s390
secfix-617960
+secfix-617960-aux
Reply to: