RepoMirrors/tdesktop
1
0
Fork 0
mirror of https://github.com/telegramdesktop/tdesktop synced 2025-04-01 00:08:02 +00:00
Code Issues Projects Releases Wiki Activity

Add ".download" for .lnk and .scf file names.

Browse Source 
This is a workaround for some windows shell vulnerabilities.

See http://www.defensecode.com/whitepapers/
Stealing-Windows-Credentials-Using-Google-Chrome.pdf
This commit is contained in:
John Preston 2018-03-06 19:04:47 +03:00
parent cb5ba7edda
commit dcf70b2847
3 changed files with 37 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
Telegram/SourceFiles/data/data_document.cpp
View File

@ -65,7 +65,13 @@ bool fileIsImage(const QString &name, const QString &mime) {
return false; return false;
} }
QString saveFileName(const QString &title, const QString &filter, const QString &prefix, QString name, bool savingAs, const QDir &dir) { QString FileNameUnsafe(
const QString &title,
const QString &filter,
const QString &prefix,
QString name,
bool savingAs,
const QDir &dir) {
#ifdef Q_OS_WIN #ifdef Q_OS_WIN
name = name.replace(QRegularExpression(qsl("[\\\\\\/\\:\\*\\?\\\"\\<\\>\\|]")), qsl("_")); name = name.replace(QRegularExpression(qsl("[\\\\\\/\\:\\*\\?\\\"\\<\\>\\|]")), qsl("_"));
#elif defined Q_OS_MAC #elif defined Q_OS_MAC
@ -152,6 +158,33 @@ QString saveFileName(const QString &title, const QString &filter, const QString
return name; return name;
} }
QString FileNameForSave(
const QString &title,
const QString &filter,
const QString &prefix,
QString name,
bool savingAs,
const QDir &dir) {
const auto result = FileNameUnsafe(
title,
filter,
prefix,
name,
savingAs,
dir);
#ifdef Q_OS_WIN
const auto lower = result.trimmed().toLower();
const auto kBadExtensions = { qstr(".lnk"), qstr(".scf") };
const auto kMaskExtension = qsl(".download");
for (const auto extension : kBadExtensions) {
if (lower.endsWith(extension)) {
return result + kMaskExtension;
}
}
#endif // Q_OS_WIN
return result;
}
QString documentSaveFilename(const DocumentData *data, bool forceSavingAs = false, const QString already = QString(), const QDir &dir = QDir()) { QString documentSaveFilename(const DocumentData *data, bool forceSavingAs = false, const QString already = QString(), const QDir &dir = QDir()) {
auto alreadySavingFilename = data->loadingFilePath(); auto alreadySavingFilename = data->loadingFilePath();
if (!alreadySavingFilename.isEmpty()) { if (!alreadySavingFilename.isEmpty()) {
@ -195,7 +228,7 @@ QString documentSaveFilename(const DocumentData *data, bool forceSavingAs = fals
prefix = qsl("doc"); prefix = qsl("doc");
} }
return saveFileName(caption, filter, prefix, name, forceSavingAs, dir); return FileNameForSave(caption, filter, prefix, name, forceSavingAs, dir);
} }
void DocumentOpenClickHandler::doOpen( void DocumentOpenClickHandler::doOpen(

2
Telegram/SourceFiles/data/data_document.h
View File

@ -288,7 +288,7 @@ protected:
}; };
QString saveFileName( QString FileNameForSave(
const QString &title, const QString &title,
const QString &filter, const QString &filter,
const QString &prefix, const QString &prefix,

2
Telegram/SourceFiles/mediaview.cpp
View File

@ -821,7 +821,7 @@ void MediaView::onSaveAs() {
} }
psBringToBack(this); psBringToBack(this);
file = saveFileName(lang(lng_save_file), filter, qsl("doc"), name, true, alreadyDir); file = FileNameForSave(lang(lng_save_file), filter, qsl("doc"), name, true, alreadyDir);
psShowOverAll(this); psShowOverAll(this);
if (!file.isEmpty() && file != location.name()) { if (!file.isEmpty() && file != location.name()) {
if (_doc->data().isEmpty()) { if (_doc->data().isEmpty()) {