From a8eed396b539978eac45cfd9f326faa5687e5d24 Mon Sep 17 00:00:00 2001
From: Sergey Matveev <stargrave@stargrave.org>
Date: Sat, 21 Jan 2017 14:44:33 +0300
Subject: [PATCH] Check that path taken from the packets is relative

---
 src/cypherpunks.ru/nncp/toss.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/cypherpunks.ru/nncp/toss.go b/src/cypherpunks.ru/nncp/toss.go
index 9d17053..8a48e91 100644
--- a/src/cypherpunks.ru/nncp/toss.go
+++ b/src/cypherpunks.ru/nncp/toss.go
@@ -163,6 +163,11 @@ func (ctx *Ctx) Toss(nodeId *NodeId, nice uint8, dryRun bool) bool {
 		case PktTypeFile:
 			dst := string(pkt.Path[:int(pkt.PathLen)])
 			sds := SdsAdd(sds, SDS{"type": "file", "dst": dst})
+			if filepath.IsAbs(dst) {
+				ctx.LogE("rx", sds, "non-relative destination path")
+				isBad = true
+				goto Closing
+			}
 			incoming := ctx.Neigh[*job.PktEnc.Sender].Incoming
 			if incoming == nil {
 				ctx.LogE("rx", sds, "incoming is not allowed")
@@ -237,6 +242,11 @@ func (ctx *Ctx) Toss(nodeId *NodeId, nice uint8, dryRun bool) bool {
 			}
 		case PktTypeFreq:
 			src := string(pkt.Path[:int(pkt.PathLen)])
+			if filepath.IsAbs(src) {
+				ctx.LogE("rx", sds, "non-relative source path")
+				isBad = true
+				goto Closing
+			}
 			sds := SdsAdd(sds, SDS{"type": "freq", "src": src})
 			dstRaw, err := ioutil.ReadAll(pipeR)
 			if err != nil {
-- 
2.48.1