VFS Critical Security Issue

[AF]

I ran a search for "/*" to test a new java binding I had written:

Code: Select all

	JNIEXPORT jstring JNICALL Java_aflobby_JUnitSync_SearchVFS
		(JNIEnv *env, jclass myobject, jstring pattern){
			const char* cpattern = env->GetStringUTFChars(pattern,0);

			std::string path = filesystem.GetDirectory(cpattern);
			std::string patt = filesystem.GetFilename(cpattern);
			std::vector<string> f = CFileHandler::FindFiles(path, patt);
			string s = "";
			if(f.empty()==false){
				for(vector<string>::iterator i = f.begin(); i != f.end(); ++i){
					string q = *i;
					s += q;
					s += ",";
				}
			}

			char* c = new char[max(1,(int)s.length())];
			strncpy(c,s.c_str(),s.length());
			jstring j = env->NewStringUTF(c);
			return j;

		}

and got this:

Code: Select all

\ACPI_10136.zip,\autoexec.bat,\config.sys,\P5B-1102.zip,\P5B-ASUS-1102.ROM,\sysrun23.dll,

As the result. aka C:\. So I replaced the search strign with /Windows/* and got:

\Windows\Ascd_tmp.ini, \Windows\AS_Debug.txt, \Windows\AviSplitter.INI, \Windows\bfsvc.exe, \Windows\Business.xml, \Windows\DirectX.log, \Windows\DirectX_SDK.log, \Windows\DPINST.LOG, \Windows\DtcInstall.log, \Windows\explorer.exe, \Windows\Explorer.EXE.Z-missing.txt, \Windows\fveupdate.exe, \Windows\GEARInstall.log, \Windows\glview.INI, \Windows\HelpPane.exe, \Windows\hh.exe, \Windows\iis7.log, \Windows\iPlayer.INI, \Windows\IsUninst.exe, \Windows\jestertb.dll, \Windows\KB893803v2.log, \Windows\Lexstat.ini, \Windows\lsb_un20.exe, \Windows\MEMORY.DMP, \Windows\mib.bin, \Windows\MinGW.INI, \Windows\msdfmap.ini, \Windows\NeroDigital.ini, \Windows\notepad.exe, \Windows\ntbtlog.txt, \Windows\ODBC.INI, \Windows\PFRO.log, \Windows\QTFont.for, \Windows\regedit.exe, \Windows\setupact.log, \Windows\setuperr.log, \Windows\STA2.ini, \Windows\system.ini, \Windows\TSSysprep.log, \Windows\twain.dll, \Windows\twain_32.dll, \Windows\twunk_16.exe, \Windows\twunk_32.exe, \Windows\unins000.dat, \Windows\unins000.exe, \Windows\unins001.dat, \Windows\unins001.exe, \Windows\UNNeroBackItUp.cfg, \Windows\UNNeroBackItUp.exe, \Windows\UNNeroMediaHome.cfg, \Windows\UNNeroMediaHome.exe, \Windows\UNNeroShowTime.cfg, \Windows\UNNeroShowTime.exe, \Windows\UNNeroVision.cfg, \Windows\UNNeroVision.exe, \Windows\UNRecode.cfg, \Windows\UNRecode.exe, \Windows\vbaddin.ini, \Windows\win.ini, \Windows\WindowsUpdate.log, \Windows\winhelp.exe, \Windows\winhlp32.exe, \Windows\WMSysPr9.prx, \Windows\WORDPAD.INI, \Windows\_default.pif, dows├â┬©bs├é┬«+├âÔÇÜ

Is this not somewhat of a security risk? If not a performance issue? Lua has access to the VFS too, do we really want lua UI widgets that can access and list system critical files? Even send them over the network to the host who may be waiting for them?