diff options
| author |  Joey Hess <joeyh@joeyh.name> | 2014-12-17 14:17:19 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2014-12-17 14:17:19 -0400 |
| commit | 54e29183d92006e2a2bfb83653ef7dea1e610679 (patch) | |
| tree | c679ddb60a1f73a63c8bc4dff31f883b5a12a034 /Remote/BitTorrent.hs | |
| parent | aade3c08e5089c2fdd263427efe322deea348cbc (diff) | |
remove excess directory
Diffstat (limited to 'Remote/BitTorrent.hs')
| -rw-r--r-- | Remote/BitTorrent.hs | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/Remote/BitTorrent.hs b/Remote/BitTorrent.hs index 9b055b19b..d4c2792cc 100644 --- a/Remote/BitTorrent.hs +++ b/Remote/BitTorrent.hs @@ -353,6 +353,7 @@ torrentFileSizes torrent = do fn = reverse $ drop 2 $ dropWhile (/= '(') $ dropWhile (== ')') $ reverse l + -- a malicious torrent file might try to do directory traversal scrub f = if isAbsolute f || any (== "..") (splitPath f) then error "found unsafe filename in torrent!" else f @@ -365,4 +366,4 @@ torrentContents u = convert convert l = UrlMulti $ map mkmulti (zip l [1..]) mkmulti ((fn, sz), n) = - (torrentUrlWithNum u n, Just sz, mkSafeFilePath fn) + (torrentUrlWithNum u n, Just sz, mkSafeFilePath $ joinPath $ drop 1 $ splitPath fn) |