From b04d50271ef8d038755f76cdd22e96c285420818 Mon Sep 17 00:00:00 2001 From: Hunter Stanton Date: Wed, 13 Aug 2025 11:36:04 -0700 Subject: [PATCH] Fix path traversal in load_page (#1257) --- .../Controllers/MainWindowController.swift | 24 +++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/code/apps/Managed Software Center/Managed Software Center/Controllers/MainWindowController.swift b/code/apps/Managed Software Center/Managed Software Center/Controllers/MainWindowController.swift index f08d7b27..1835a1ad 100755 --- a/code/apps/Managed Software Center/Managed Software Center/Controllers/MainWindowController.swift +++ b/code/apps/Managed Software Center/Managed Software Center/Controllers/MainWindowController.swift @@ -922,12 +922,28 @@ class MainWindowController: NSWindowController { func load_page(_ url_fragment: String) { // Tells the WebView to load the appropriate page msc_debug_log("load_page request for \(url_fragment)") + + let baseURL = URL(fileURLWithPath: htmlDir).standardizedFileURL + let requestURL = baseURL.appendingPathComponent(url_fragment).standardizedFileURL + + let baseComponents = baseURL.pathComponents + let requestComponents = requestURL.pathComponents + + guard requestComponents.starts(with: baseComponents) else { + msc_debug_log("Attempt to access file outside htmlDir: \(url_fragment)") + let errorURL = baseURL.appendingPathComponent("error.html") + webView.load(URLRequest(url: errorURL)) + return + } + + let request = URLRequest( + url: requestURL, + cachePolicy: .reloadIgnoringLocalCacheData, + timeoutInterval: 10.0 + ) - let html_file = NSString.path(withComponents: [htmlDir, url_fragment]) - let request = URLRequest(url: URL(fileURLWithPath: html_file), - cachePolicy: .reloadIgnoringLocalCacheData, - timeoutInterval: TimeInterval(10.0)) webView.load(request) + if url_fragment == "updates.html" { if !_update_in_progress && NSApp.isActive { // clear all earlier update notifications