AaronFiore/electrum
1
0
Fork 0
Code Activity

qml wizard: even stricter validation for new wallet name

Browse Source 
related: 07dc80dd9a
This commit is contained in:
SomberNight
2024-05-28 14:20:28 +00:00
parent 9f74ba4e8c
commit e8a9e45291
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
electrum/gui/qml/qewizard.py
View File

@@ -130,8 +130,13 @@ class QENewWalletWizard(NewWalletWizard, QEAbstractWizard):
return False return False
wallet_path = self._wallet_path_from_wallet_name(wallet_name) wallet_path = self._wallet_path_from_wallet_name(wallet_name)
# note: we should probably restrict wallet names to be alphanumeric (plus underscore, etc)... # note: we should probably restrict wallet names to be alphanumeric (plus underscore, etc)...
# wallet_name might contain ".." (etc) and hence sketchy path traversals are possible. # try to prevent sketchy path traversals:
# Anyway, this at least validates that the path looks sane to the filesystem: for forbidden_char in ("/", "\\", ):
if forbidden_char in wallet_name:
return False
if os.path.basename(wallet_name) != wallet_name:
return False
# validate that the path looks sane to the filesystem:
try: try:
temp_storage = WalletStorage(wallet_path) temp_storage = WalletStorage(wallet_path)
except (StorageReadWriteError, WalletFileException) as e: except (StorageReadWriteError, WalletFileException) as e: