g_file_new_for_uri() handles query strings incorrectly ("?")
/* gcc -Wall -O2 -o uri uri.c `pkg-config --cflags --libs glib-2.0 gio-2.0` */
#include <stdio.h>
#include <gio/gio.h>
int
main (int argc, char **argv)
{
GFile *file = g_file_new_for_uri ("file:///.?../../../../../../etc/passwd");
g_assert (file != NULL);
char *path = g_file_get_path (file);
g_assert (path != NULL);
printf ("%s\n", path); /* prints /etc/passwd */
return 0;
}
It seems that g_file_new_for_uri()
is just letting the query string after the ?
through. While that function is not expected to prevent directory traversal attacks, I don't think it is handling URI syntax correctly. In the case above, the filename is /.
and the query is probably invalid, though I haven't verified the latter.