CLOUD: Handle paths in marked places

Paths containing '../' are forbidden to use in Files Manager. There is
also a special inner black list of paths which are not used and a check
that specified path is under "savepath" or "rootpath" (from "cloud"
domain).

1 files changed, 11 insertions, 3 deletions

diff --git a/backends/networking/sdl_net/handlers/createdirectoryhandler.cpp b/backends/networking/sdl_net/handlers/createdirectoryhandler.cpp
index c539525820..284bf16651 100644
--- a/backends/networking/sdl_net/handlers/createdirectoryhandler.cpp
+++ b/backends/networking/sdl_net/handlers/createdirectoryhandler.cpp
@@ -61,6 +61,12 @@ void CreateDirectoryHandler::handle(Client &client) {
 		return;
 	}
 
+	// check that <path> contains no '../'
+	if (HandlerUtils::hasForbiddenCombinations(path)) {
+		handleError(client, _("Invalid path!"));
+		return;
+	}
+
 	// transform virtual path to actual file system one
 	Common::String prefixToRemove = "", prefixToAdd = "";
 	if (!transformPath(path, prefixToRemove, prefixToAdd) || path.empty()) {
@@ -68,10 +74,12 @@ void CreateDirectoryHandler::handle(Client &client) {
 		return;
 	}
 
-	// TODO: handle <path>
-
-	// check that <path> exists and is directory
+	// check that <path> exists, is directory and isn't forbidden
 	AbstractFSNode *node = g_system->getFilesystemFactory()->makeFileNodePath(path);
+	if (!HandlerUtils::permittedPath(node->getPath())) {
+		handleError(client, _("Invalid path!"));
+		return;
+	}
 	if (!node->exists()) {
 		handleError(client, _("Parent directory doesn't exists!"));
 		return;