From 2da78c0877a7fa924f62cc76700f3da29c47f5ad Mon Sep 17 00:00:00 2001
From: Marco Nelissen <marcone@google.com>
Date: Wed, 6 May 2009 11:08:08 -0700
Subject: Don't allow '/../' to be part of the path for delete file triggers.

---
 android/sqlite3_android.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'android/sqlite3_android.cpp')

diff --git a/android/sqlite3_android.cpp b/android/sqlite3_android.cpp
index 27334ef..3e11808 100644
--- a/android/sqlite3_android.cpp
+++ b/android/sqlite3_android.cpp
@@ -161,7 +161,11 @@ static void delete_file(sqlite3_context * context, int argc, sqlite3_value ** ar
         sqlite3_result_null(context);
         return;        
     }
-    
+    if (strstr(path, "/../") != NULL) {
+        sqlite3_result_null(context);
+        return;
+    }
+
     int err = unlink(path);
     if (err != -1) {
         // No error occured, return true
-- 
cgit v1.2.3