From 7a1a2ec328f8ebd150f4954604b905e97fcfd095 Mon Sep 17 00:00:00 2001
From: Uwe Seimet <Uwe.Seimet@seimet.de>
Date: Fri, 17 Sep 2021 19:45:27 +0200
Subject: [PATCH] Updated error handling

---
 src/raspberrypi/rascsi.cpp | 41 ++++++++++++++++++++++++++++++++++----
 1 file changed, 37 insertions(+), 4 deletions(-)

diff --git a/src/raspberrypi/rascsi.cpp b/src/raspberrypi/rascsi.cpp
index 1a7b976f..aefb6d6f 100644
--- a/src/raspberrypi/rascsi.cpp
+++ b/src/raspberrypi/rascsi.cpp
@@ -715,6 +715,11 @@ string SetReservedIds(const string& ids)
 	return "";
 }
 
+bool IsValidFilename(const string& filename)
+{
+	return filename != "." && filename != "..";
+}
+
 bool CreateImage(int fd, const PbCommand& command)
 {
 	string filename = GetParam(command, "file");
@@ -722,6 +727,10 @@ bool CreateImage(int fd, const PbCommand& command)
 		return ReturnStatus(fd, false, "Missing image filename");
 	}
 
+	if (!IsValidFilename(filename)) {
+		return ReturnStatus(fd, false, "Invalid filename '" + filename + "'");
+	}
+
 	string size = GetParam(command, "size");
 	if (size.empty()) {
 		return ReturnStatus(fd, false, "Missing image size");
@@ -794,6 +803,10 @@ bool DeleteImage(int fd, const PbCommand& command)
 		return ReturnStatus(fd, false, "Missing image filename");
 	}
 
+	if (!IsValidFilename(filename)) {
+		return ReturnStatus(fd, false, "Invalid filename '" + filename + "'");
+	}
+
 	if (filename.find('/') != string::npos) {
 		return ReturnStatus(fd, false, "The image filename '" + filename + "' must not contain a path");
 	}
@@ -831,11 +844,19 @@ bool RenameImage(int fd, const PbCommand& command)
 		return ReturnStatus(fd, false, "Missing destination filename");
 	}
 
+	if (!IsValidFilename(from)) {
+		return ReturnStatus(fd, false, "Invalid filename '" + from + "'");
+	}
+
+	if (!IsValidFilename(to)) {
+		return ReturnStatus(fd, false, "Invalid filename '" + to + "'");
+	}
+
 	if (from.find('/') != string::npos) {
-		return ReturnStatus(fd, false, "The current filename '" + from + "' must not contain a path");
+		return ReturnStatus(fd, false, "The source filename '" + from + "' must not contain a path");
 	}
 	if (to.find('/') != string::npos) {
-		return ReturnStatus(fd, false, "The new filename '" + to + "' must not contain a path");
+		return ReturnStatus(fd, false, "The destination filename '" + to + "' must not contain a path");
 	}
 
 	from = default_image_folder + "/" + from;
@@ -867,11 +888,19 @@ bool CopyImage(int fd, const PbCommand& command)
 		return ReturnStatus(fd, false, "Missing destination filename");
 	}
 
+	if (!IsValidFilename(from)) {
+		return ReturnStatus(fd, false, "Invalid filename '" + from + "'");
+	}
+
+	if (!IsValidFilename(to)) {
+		return ReturnStatus(fd, false, "Invalid filename '" + to + "'");
+	}
+
 	if (from.find('/') != string::npos) {
-		return ReturnStatus(fd, false, "The current filename '" + from + "' must not contain a path");
+		return ReturnStatus(fd, false, "The source filename '" + from + "' must not contain a path");
 	}
 	if (to.find('/') != string::npos) {
-		return ReturnStatus(fd, false, "The new filename '" + to + "' must not contain a path");
+		return ReturnStatus(fd, false, "The destination filename '" + to + "' must not contain a path");
 	}
 
 	from = default_image_folder + "/" + from;
@@ -921,6 +950,10 @@ bool SetImagePermissions(int fd, const PbCommand& command)
 		return ReturnStatus(fd, false, "Missing image filename");
 	}
 
+	if (!IsValidFilename(filename)) {
+		return ReturnStatus(fd, false, "Invalid filename '" + filename + "'");
+	}
+
 	if (filename.find('/') != string::npos) {
 		return ReturnStatus(fd, false, "The image filename '" + filename + "' must not contain a path");
 	}