more work toward keeping /~/../.. from working

2025-08-05 03:01:52 +02:00 · 2016-04-29 11:03:14 -07:00 · 2016-04-29 11:03:14 -07:00 · f03130ff5a
commit f03130ff5a
parent ced18fe6be
3 changed files with 26 additions and 6 deletions
--- a/libraries/script-engine/src/ScriptEngine.cpp
+++ b/libraries/script-engine/src/ScriptEngine.cpp
@ -914,7 +914,12 @@ void ScriptEngine::include(const QStringList& includeFiles, QScriptValue callbac
    for (QString file : includeFiles) {
        QUrl thisURL;
        if (file.startsWith("/~/")) {
-            thisURL = expandScriptUrl(QUrl::fromLocalFile(file));
+            thisURL = expandScriptUrl(QUrl::fromLocalFile(expandScriptPath(file)));
+            QUrl defaultScriptsLoc = defaultScriptsLocation();
+            if (!defaultScriptsLoc.isParentOf(thisURL)) {
+                qDebug() << "ScriptEngine::include -- skipping" << file << "-- outside of standard libraries";
+                continue;
+            }
        } else {
            thisURL = resolvePath(file);
        }
--- a/libraries/script-engine/src/ScriptEngines.cpp
+++ b/libraries/script-engine/src/ScriptEngines.cpp
@ -70,6 +70,12 @@ QUrl normalizeScriptURL(const QUrl& rawScriptURL) {
    }
 }

+QString expandScriptPath(const QString& rawPath) {
+    QStringList splitPath = rawPath.split("/");
+    QUrl defaultScriptsLoc = defaultScriptsLocation();
+    return defaultScriptsLoc.path() + "/" + splitPath.mid(2).join("/"); // 2 to skip the slashes in /~/
+}
+
 QUrl expandScriptUrl(const QUrl& rawScriptURL) {
    QUrl normalizedScriptURL = normalizeScriptURL(rawScriptURL);
    if (normalizedScriptURL.scheme() == "http" ||
@ -79,17 +85,25 @@ QUrl expandScriptUrl(const QUrl& rawScriptURL) {
    } else if (normalizedScriptURL.scheme() == "file") {
        if (normalizedScriptURL.path().startsWith("/~/")) {
            QUrl url = normalizedScriptURL;
-            QStringList splitPath = url.path().split("/");
-            QUrl defaultScriptsLoc = defaultScriptsLocation();
-            url.setPath(defaultScriptsLoc.path() + "/" + splitPath.mid(2).join("/")); // 2 to skip the slashes in /~/
+            url.setPath(expandScriptPath(url.path()));

            // stop something like Script.include(["/~/../Desktop/naughty.js"]); from working
            QFileInfo fileInfo(url.toLocalFile());
+            #if defined(Q_OS_WIN)
+            url = QUrl::fromLocalFile(fileInfo.canonicalFilePath().toLower());
+            #elif defined(Q_OS_OSX)
+            url = QUrl::fromLocalFile(fileInfo.canonicalFilePath().toLower());
+            #else
            url = QUrl::fromLocalFile(fileInfo.canonicalFilePath());
+            #endif
+
+            QUrl defaultScriptsLoc = defaultScriptsLocation();
            if (!defaultScriptsLoc.isParentOf(url)) {
                qCWarning(scriptengine) << "Script.include() ignoring file path" << rawScriptURL
-                                        << "-- outside of standard libraries: " << url.path() << defaultScriptsLoc.path();
-                return QUrl("");
+                                        << "-- outside of standard libraries: "
+                                        << url.path()
+                                        << defaultScriptsLoc.path();
+                return rawScriptURL;
            }
            return url;
        }
--- a/libraries/script-engine/src/ScriptEngines.h
+++ b/libraries/script-engine/src/ScriptEngines.h
@ -101,6 +101,7 @@ protected:
 };

 QUrl normalizeScriptURL(const QUrl& rawScriptURL);
+QString expandScriptPath(const QString& rawPath);
 QUrl expandScriptUrl(const QUrl& rawScriptURL);

 #endif // hifi_ScriptEngine_h