From d678771c660c936a6222dd43a204cb2699100f3e Mon Sep 17 00:00:00 2001 From: Luke Dashjr Date: Sun, 8 Jan 2017 20:41:30 +0000 Subject: [PATCH] Wallet: Sanitise -wallet parameter --- src/utilstrencodings.cpp | 3 ++- src/utilstrencodings.h | 3 ++- src/wallet/wallet.cpp | 6 ++++++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/utilstrencodings.cpp b/src/utilstrencodings.cpp index 025040c43a4..29ae57940ff 100644 --- a/src/utilstrencodings.cpp +++ b/src/utilstrencodings.cpp @@ -19,7 +19,8 @@ static const string CHARS_ALPHA_NUM = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNO static const string SAFE_CHARS[] = { CHARS_ALPHA_NUM + " .,;-_/:?@()", // SAFE_CHARS_DEFAULT - CHARS_ALPHA_NUM + " .,;-_?@" // SAFE_CHARS_UA_COMMENT + CHARS_ALPHA_NUM + " .,;-_?@", // SAFE_CHARS_UA_COMMENT + CHARS_ALPHA_NUM + ".-_", // SAFE_CHARS_FILENAME }; string SanitizeString(const string& str, int rule) diff --git a/src/utilstrencodings.h b/src/utilstrencodings.h index cb6f014fc25..e2a1b9bef9a 100644 --- a/src/utilstrencodings.h +++ b/src/utilstrencodings.h @@ -26,7 +26,8 @@ enum SafeChars { SAFE_CHARS_DEFAULT, //!< The full set of allowed chars - SAFE_CHARS_UA_COMMENT //!< BIP-0014 subset + SAFE_CHARS_UA_COMMENT, //!< BIP-0014 subset + SAFE_CHARS_FILENAME, //!< Chars allowed in filenames }; /** diff --git a/src/wallet/wallet.cpp b/src/wallet/wallet.cpp index 63501b04be4..446454e9e37 100644 --- a/src/wallet/wallet.cpp +++ b/src/wallet/wallet.cpp @@ -3765,6 +3765,12 @@ bool CWallet::InitLoadWallet() std::string walletFile = GetArg("-wallet", DEFAULT_WALLET_DAT); + if (walletFile.find_first_of("/\\") != std::string::npos) { + return InitError(_("-wallet parameter must only specify a filename (not a path)")); + } else if (SanitizeString(walletFile, SAFE_CHARS_FILENAME) != walletFile) { + return InitError(_("Invalid characters in -wallet filename")); + } + CWallet * const pwallet = CreateWalletFromFile(walletFile); if (!pwallet) { return false;