Archive name reported as (null) and maybe a security issue when the file name contains a %
I have found that the file-roller message shown during the expansion of an archive that contains a percent (%) in the name shows the message:
Extracting the files from “(null)”
Instead of the proper name of the archive.
Looking at the code I found that the problem is in the function _g_file_get_display_basename
of glib-utils.c:
char *
_g_file_get_display_basename (GFile *file)
{
char *uri, *e_name, *name;
uri = g_file_get_uri (file);
e_name = g_filename_display_basename (uri);
name = g_uri_unescape_string (e_name, ""); /* Here name can be NULL if e_name contains a % */
g_free (e_name);
g_free (uri);
return name;
}
There the function g_uri_unescape_string
returns NULL if the input (e_name) contains a percent not followed by 2 hex digits.
When the file name contains sequences of % followed by 2 hex numbers, this allows to hide any string in the name (a naive example, '%2f%65%74%63%2f%70%61%73%73%77%64.zip' is displayed as "Extracting the files from “/etc/passwd.zip”".
I do not think this is usable as an attack as the string is properly escaped using g_markup_printf_escaped
in fr-window.c and the Pango markup language is simple, but nevertheless is an uncontrolled situation.