Overview

File CVE-2023-28371-3.patch of Package stellarium.17886

From eba61df3b38605befcb43687a4c0a159dbc0c5cb Mon Sep 17 00:00:00 2001
From: Georg Zotti <Georg.Zotti@univie.ac.at>
Date: Sat, 4 Mar 2023 18:02:01 +0100
Subject: [PATCH] Fix a possible security issue - disallow overwriting
 config.ini

---
 src/scripting/StelScriptOutput.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/scripting/StelScriptOutput.cpp b/src/scripting/StelScriptOutput.cpp
index 94af2d2d4d6c..f994e36981c1 100644
--- a/src/scripting/StelScriptOutput.cpp
+++ b/src/scripting/StelScriptOutput.cpp
@@ -62,6 +62,12 @@ void StelScriptOutput::saveOutputAs(const QString &name)
 
 	const bool okToSaveToAbsolutePath=StelApp::getInstance().getSettings()->value("scripts/flag_script_allow_write_absolute_path", false).toBool();
 
+	if (name.contains("config.ini"))
+	{
+		qWarning() << "SCRIPTING ERROR: You are trying to overwrite config.ini. Ignoring.";
+		return;
+	}
+
 	if (!okToSaveToAbsolutePath && ((newFileNameInfo.isAbsolute() || (name.contains(".."))))) // The last condition may include dangerous/malicious paths
 	{
 		qWarning() << "SCRIPTING CONFIGURATION ISSUE: You are trying to save to an absolute pathname or move up in directories.";
openSUSE Build Service is sponsored by
Places