Merge pull request #3460 from Ghabry/ff-oob

carstene1ns · web-flow · commit fcef8dbadbc5 · 2026-01-06T17:01:33.000+01:00
String ToFile: Sanitize path
diff --git a/src/filefinder.cpp b/src/filefinder.cpp
@@ -186,7 +186,7 @@ std::string FileFinder::MakeCanonical(std::string_view path, int initial_deepnes
 				// Ignore, we are in root
 				--initial_deepness;
 			} else {
-				Output::Debug("Path traversal out of game directory: {}", path);
+				Output::Warning("Path traversal out of game directory: {}", path);
 			}
 		} else if (path_comp.empty() || path_comp == ".") {
 			// ignore
diff --git a/src/filefinder.h b/src/filefinder.h
@@ -229,15 +229,6 @@ namespace FileFinder {
 	 */
 	Filesystem_Stream::InputStream OpenText(std::string_view name);
 
-	/**
-	* Writes data to a txt file.
-	* If the file exists, it will be overwritten.
-	*
-	* @param name the text file path and name
-	* @param data the content of the text file to be written
-	*/
-	void WriteText(std::string_view name, std::string_view data);
-
 	/**
 	 * Appends name to directory.
 	 *
diff --git a/src/game_strings.cpp b/src/game_strings.cpp
@@ -20,6 +20,8 @@
 #include <lcf/encoder.h>
 #include <lcf/reader_util.h>
 #include "async_handler.h"
+#include "filefinder.h"
+#include "filesystem_stream.h"
 #include "game_map.h"
 #include "game_message.h"
 #include "game_strings.h"
@@ -237,20 +239,27 @@ bool Game_Strings::ToFile(Str_Params params, std::string filename, int encoding)
 		filename += ".txt";
 	}
 
-	auto txt_out = FileFinder::Save().OpenOutputStream(filename);
-	auto txt_dir = FileFinder::GetPathAndFilename(filename).first;
+	filename = FileFinder::MakeCanonical(filename, 1);
 
-	if (!txt_out) {
-		if (!FileFinder::Save().MakeDirectory(txt_dir, false)) {
+	auto txt_file = FileFinder::Save().FindFile(filename);
+	Filesystem_Stream::OutputStream txt_out;
+
+	if (txt_file.empty()) {
+		// File not found: Create directory hierarchy to ensure file creation succeeds
+		auto txt_dir = FileFinder::GetPathAndFilename(filename).first;
+
+		if (!txt_dir.empty() && !FileFinder::Save().MakeDirectory(txt_dir, false)) {
 			Output::Warning("Maniac String Op ToFile failed. Cannot create directory {}", txt_dir);
 			return false;
 		}
 
-		txt_out = FileFinder::Save().OpenOutputStream(filename);
-		if (!txt_out) {
-			Output::Warning("Maniac String Op ToFile failed. Cannot write to {}", filename);
-			return false;
-		}
+		txt_file = filename;
+	}
+
+	txt_out = FileFinder::Save().OpenOutputStream(txt_file);
+	if (!txt_out) {
+		Output::Warning("Maniac String Op ToFile failed. Cannot write to {}", filename);
+		return false;
 	}
 
 	if (encoding == 0) {

Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,7 @@ std::string FileFinder::MakeCanonical(std::string_view path, int initial_deepnes`
`186`	`186`	`// Ignore, we are in root`
`187`	`187`	`--initial_deepness;`
`188`	`188`	`} else {`
`189`		`- Output::Debug("Path traversal out of game directory: {}", path);`
	`189`	`+ Output::Warning("Path traversal out of game directory: {}", path);`
`190`	`190`	`}`
`191`	`191`	`} else if (path_comp.empty() \|\| path_comp == ".") {`
`192`	`192`	`// ignore`