From dc02a789b6b2fc4e7693b2e7e69ff57b2767b889 Mon Sep 17 00:00:00 2001
From: Alexander Tkachev
Date: Mon, 1 Aug 2016 16:03:42 +0600
Subject: CLOUD: Use forbidden combinations

I accidentally tried "folder../" instead "folder/../" and understood
that I made "folder../" forbidden too, though it's a valid folder name.
---
 backends/networking/sdl_net/handlerutils.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'backends/networking/sdl_net')

diff --git a/backends/networking/sdl_net/handlerutils.cpp b/backends/networking/sdl_net/handlerutils.cpp
index f0c62d330a..dc21ab5ce1 100644
--- a/backends/networking/sdl_net/handlerutils.cpp
+++ b/backends/networking/sdl_net/handlerutils.cpp
@@ -125,7 +125,7 @@ Common::String HandlerUtils::normalizePath(const Common::String &path) {
 }
 
 bool HandlerUtils::hasForbiddenCombinations(const Common::String &path) {
-	return (path.contains("../") || path.contains("..\\"));
+	return (path.contains("/../") || path.contains("\\..\\") || path.contains("\\../") || path.contains("/..\\"));
 }
 
 bool HandlerUtils::isBlacklisted(const Common::String &path) {
-- 
cgit v1.2.3