diff --git a/libraries/script-engine/src/ScriptEngine.cpp b/libraries/script-engine/src/ScriptEngine.cpp index 19246dd355..78a0ad2d19 100644 --- a/libraries/script-engine/src/ScriptEngine.cpp +++ b/libraries/script-engine/src/ScriptEngine.cpp @@ -914,7 +914,12 @@ void ScriptEngine::include(const QStringList& includeFiles, QScriptValue callbac for (QString file : includeFiles) { QUrl thisURL; if (file.startsWith("/~/")) { - thisURL = expandScriptUrl(QUrl::fromLocalFile(file)); + thisURL = expandScriptUrl(QUrl::fromLocalFile(expandScriptPath(file))); + QUrl defaultScriptsLoc = defaultScriptsLocation(); + if (!defaultScriptsLoc.isParentOf(thisURL)) { + qDebug() << "ScriptEngine::include -- skipping" << file << "-- outside of standard libraries"; + continue; + } } else { thisURL = resolvePath(file); } diff --git a/libraries/script-engine/src/ScriptEngines.cpp b/libraries/script-engine/src/ScriptEngines.cpp index 80f2216e2b..aed2d15a1a 100644 --- a/libraries/script-engine/src/ScriptEngines.cpp +++ b/libraries/script-engine/src/ScriptEngines.cpp @@ -70,6 +70,12 @@ QUrl normalizeScriptURL(const QUrl& rawScriptURL) { } } +QString expandScriptPath(const QString& rawPath) { + QStringList splitPath = rawPath.split("/"); + QUrl defaultScriptsLoc = defaultScriptsLocation(); + return defaultScriptsLoc.path() + "/" + splitPath.mid(2).join("/"); // 2 to skip the slashes in /~/ +} + QUrl expandScriptUrl(const QUrl& rawScriptURL) { QUrl normalizedScriptURL = normalizeScriptURL(rawScriptURL); if (normalizedScriptURL.scheme() == "http" || @@ -79,17 +85,25 @@ QUrl expandScriptUrl(const QUrl& rawScriptURL) { } else if (normalizedScriptURL.scheme() == "file") { if (normalizedScriptURL.path().startsWith("/~/")) { QUrl url = normalizedScriptURL; - QStringList splitPath = url.path().split("/"); - QUrl defaultScriptsLoc = defaultScriptsLocation(); - url.setPath(defaultScriptsLoc.path() + "/" + splitPath.mid(2).join("/")); // 2 to skip the slashes in /~/ + url.setPath(expandScriptPath(url.path())); // stop something like Script.include(["/~/../Desktop/naughty.js"]); from working QFileInfo fileInfo(url.toLocalFile()); + #if defined(Q_OS_WIN) + url = QUrl::fromLocalFile(fileInfo.canonicalFilePath().toLower()); + #elif defined(Q_OS_OSX) + url = QUrl::fromLocalFile(fileInfo.canonicalFilePath().toLower()); + #else url = QUrl::fromLocalFile(fileInfo.canonicalFilePath()); + #endif + + QUrl defaultScriptsLoc = defaultScriptsLocation(); if (!defaultScriptsLoc.isParentOf(url)) { qCWarning(scriptengine) << "Script.include() ignoring file path" << rawScriptURL - << "-- outside of standard libraries: " << url.path() << defaultScriptsLoc.path(); - return QUrl(""); + << "-- outside of standard libraries: " + << url.path() + << defaultScriptsLoc.path(); + return rawScriptURL; } return url; } diff --git a/libraries/script-engine/src/ScriptEngines.h b/libraries/script-engine/src/ScriptEngines.h index 5de71663e9..0963b21600 100644 --- a/libraries/script-engine/src/ScriptEngines.h +++ b/libraries/script-engine/src/ScriptEngines.h @@ -101,6 +101,7 @@ protected: }; QUrl normalizeScriptURL(const QUrl& rawScriptURL); +QString expandScriptPath(const QString& rawPath); QUrl expandScriptUrl(const QUrl& rawScriptURL); #endif // hifi_ScriptEngine_h