MantisBT - CDash
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0010916CDashpublic2010-06-30 05:532010-10-28 05:53
ReporterMichal Cihar 
Assigned ToJulien Jomier 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version1.7 
Target VersionFixed in Version1.8 
Summary0010916: Fails to escape build name
DescriptionIf build name contains slash, the upload to CDash fails, because it attempts to store file with name containing slash:

Deprecated: Function ereg() is deprecated in cdash/ctestparser.php on line 57

Warning: fopen(backup/Gammu_rincewind_Debian/x86_64/WITH_AT_SUPPORT-OFF_20100630-0937-Experimental_127789108352_Configure.xml): failed to open stream: No such file or directory in cdash/ctestparser.php on line 164
Cannot open file (backup/Gammu_rincewind_Debian/x86_64/WITH_AT_SUPPORT-OFF_20100630-0937-Experimental_127789108352_Configure.xml)
Steps To Reproduce
Additional InformationMore importantly, adding .. to build name could lead to escaping from backup directory and to overwriting arbitrary files on the disk, what is clearly a security issue.
TagsNo tags attached.
Relationships
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2010-06-30 05:53Michal CiharNew Issue
2010-10-28 05:04Julien JomierStatusnew => assigned
2010-10-28 05:04Julien JomierAssigned To => Julien Jomier
2010-10-28 05:53Julien JomierNote Added: 0022726
2010-10-28 05:53Julien JomierStatusassigned => resolved
2010-10-28 05:53Julien JomierFixed in Version => 1.8
2010-10-28 05:53Julien JomierResolutionopen => fixed

Notes
(0022726)
Julien Jomier   
2010-10-28 05:53   
Now making sure the logs are actually written in the backup directory. Thanks for the report!