From 9ff94bea3b1895005199baf1c85fde8196bf24c7 Mon Sep 17 00:00:00 2001
From: DeaDDooMER <deaddoomer@deadsoftware.ru>
Date: Wed, 21 Jun 2023 19:46:00 +0300
Subject: [PATCH] res: fix path check

---
 src/engine/e_res.pas | 36 +++++++-----------------------------
 src/game/g_game.pas  |  8 ++++++++
 2 files changed, 15 insertions(+), 29 deletions(-)

diff --git a/src/engine/e_res.pas b/src/engine/e_res.pas
index 69adb6e..81f4638 100644
--- a/src/engine/e_res.pas
+++ b/src/engine/e_res.pas
@@ -84,43 +84,21 @@ implementation
     result := Copy(path, 1, i-1)  // exclude the trailing separator
   end;
 
-  function HasRelativeDirs (name: AnsiString): Boolean;
-    var i: Integer; ch: Char;
+  function IsRelativePath (name: AnsiString): Boolean;
   begin
-    i := 1;
-    result := false;
-    while (result = false) and (name[i] <> #0) do
-    begin
-      ch := name[i];
-      if (ch = '/') or (ch = '\') then
-      begin
-        Inc(i);
-        if name[i] = '.' then
-        begin
-          Inc(i);
-          if name[i] = '.' then
-          begin
-            Inc(i);
-            ch := name[i];
-            result := (ch = #0) or (ch = '/') or (ch = '\')
-          end
-        end
-      end
-      else
-      begin
-        Inc(i)
-      end
-    end
+    result := (copy(name, 1, 3) = '../') or (pos('/../', name) <> 0) or (copy(name, Length(name) - 2) = '/..') or
+              (copy(name, 1, 3) = '..\') or (pos('\..\', name) <> 0) or (copy(name, Length(name) - 2) = '\..') or
+              (name = '..');
   end;
 
-  function HasAbsoluteDirs (name: AnsiString): Boolean;
+  function IsAbsolutePath (name: AnsiString): Boolean;
   begin
-    result := (name = '') or (name[1] = '/') or (name[1] = '\')
+    result := ExpandFileName(name) = name;
   end;
 
   function e_IsValidResourceName (name: AnsiString): Boolean;
   begin
-    result := (HasAbsoluteDirs(name) = false) and (HasRelativeDirs(name) = false)
+    result := (IsAbsolutePath(name) = false) and (IsRelativePath(name) = false)
   end;
 
   function SpawnStream (dirs: SSArray; name: AnsiString; p: SpawnProc; createNewDir: Boolean): TStream;
diff --git a/src/game/g_game.pas b/src/game/g_game.pas
index 7510eca..29668f5 100644
--- a/src/game/g_game.pas
+++ b/src/game/g_game.pas
@@ -7211,6 +7211,10 @@ begin
         g_Console_Add(_lc[I_MSG_GM_UNAVAIL])
       end
     end
+    else if not e_IsValidResourceName(P[1]) then
+    begin
+      g_Console_Add('wad name must not be absolute or relative');
+    end
     else
     begin
       if g_Game_IsServer and (gGameSettings.GameType <> GT_SINGLE) then
@@ -7338,6 +7342,10 @@ begin
           g_Console_Add(_lc[I_MSG_GM_UNAVAIL]);
         end;
       end
+      else if not e_IsValidResourceName(P[1]) then
+      begin
+        g_Console_Add('wad name must not be absolute or relative');
+      end
       else
       begin
         nm := False;
-- 
2.29.2