From c2ac733c88d1e282cdf1eee8322f66fac683fa80 Mon Sep 17 00:00:00 2001
From: huaqingsimeng <1004904143@qq.com>
Date: Thu, 23 Mar 2023 07:10:17 +0000
Subject: [PATCH] =?UTF-8?q?=E5=A4=87=E4=BB=BD=E6=81=A2=E5=A4=8D=E6=97=B6?=
 =?UTF-8?q?=E6=96=87=E4=BB=B6=E5=BC=82=E5=B8=B8=E5=A4=84=E7=90=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: huaqingsimeng <qiukaiqing@huawei.com>
---
 frameworks/native/backup_ext/src/ext_extension.cpp | 8 ++++++++
 services/backup_sa/src/module_ipc/service.cpp      | 3 +++
 2 files changed, 11 insertions(+)

diff --git a/frameworks/native/backup_ext/src/ext_extension.cpp b/frameworks/native/backup_ext/src/ext_extension.cpp
index cae67913b..3bb40c769 100644
--- a/frameworks/native/backup_ext/src/ext_extension.cpp
+++ b/frameworks/native/backup_ext/src/ext_extension.cpp
@@ -17,6 +17,7 @@
 
 #include <algorithm>
 #include <iomanip>
+#include <regex>
 #include <sstream>
 #include <string>
 #include <vector>
@@ -69,6 +70,10 @@ UniqueFd BackupExtExtension::GetFileHandle(const string &fileName)
 
     VerifyCaller();
 
+    if (!regex_match(fileName, regex("^[0-9a-zA-Z_.]+$"))) {
+        throw BError(BError::Codes::EXT_INVAL_ARG, "Filename is not alphanumeric");
+    }
+
     string path = string(BConstants::PATH_BUNDLE_BACKUP_HOME).append(BConstants::SA_BUNDLE_BACKUP_RESTORE);
     if (mkdir(path.data(), S_IRWXU) && errno != EEXIST) {
         stringstream ss;
@@ -78,6 +83,9 @@ UniqueFd BackupExtExtension::GetFileHandle(const string &fileName)
     }
 
     string tarName = path + fileName;
+    if (access(tarName.c_str(), F_OK) == 0) {
+        throw BError(BError::Codes::EXT_INVAL_ARG, string("The file already exists"));
+    }
     return UniqueFd(open(tarName.data(), O_RDWR | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR));
 }
 
diff --git a/services/backup_sa/src/module_ipc/service.cpp b/services/backup_sa/src/module_ipc/service.cpp
index b6debaa69..1cf06c640 100644
--- a/services/backup_sa/src/module_ipc/service.cpp
+++ b/services/backup_sa/src/module_ipc/service.cpp
@@ -389,6 +389,9 @@ ErrCode Service::GetExtFileName(string &bundleName, string &fileName)
     try {
         HILOGE("begin");
         VerifyCaller(IServiceReverse::Scenario::RESTORE);
+        if (!regex_match(fileName, regex("^[0-9a-zA-Z_.]+$"))) {
+            throw BError(BError::Codes::SA_INVAL_ARG, "Filename is not alphanumeric");
+        }
         session_->SetExtFileNameRequest(bundleName, fileName);
         return BError(BError::Codes::OK);
     } catch (const BError &e) {
-- 
Gitee