Subj : src/sbbs3/js_filebase.c js_msgbase.c
To   : Git commit to main/sbbs/master
From : Rob Swindell (on Debian Linux)
Date : Wed Sep 03 2025 20:43:12

https://gitlab.synchro.net/main/sbbs/-/commit/93b4d946cc12ad15f15773af
Modified Files:
	src/sbbs3/js_filebase.c js_msgbase.c
Log Message:
Security improvements to MsgBase and FileBase constructors

Require an initial 'true' parameter before treating the string argument to
the constructor as a path/filename to a msg/file base.

As Deuce discovered, not all scripts (e.g. the legacy/runemaster web UI) do
a good job of validating client/user-supplied parameters to these constructors
so a sysop can end up with some unexplained and suspicious-looking SMB files
(e.g. *.sid, *.shd, *.sdt) in their ctrl directory (or possibly, but hopefully
not, somewhere else).

So the old "feature" of supporting an arbitrary msg or filebase path passed to
the constructor now requires a unique calling pattern so this shouldn't be
a problem from now on.

Also, it appears the arbitrary FileBase creation/opening didn't really work
anyway, so that's now fixed.

Also, do a better job of validating an arbitrary *base path and filename so
that malicious(looking) filenames won't be created, ever, using these
classes.

And improve the exception/error messages and JSDOCs.

---
 þ Synchronet þ Vertrauen þ Home of Synchronet þ [vert/cvs/bbs].synchro.net

.