Comment 7 for bug 757526

Romain, thanks for the patches. I am reviewing them now.

Felix, you stated 'The previous patch still allows up traversal at the beginning, e.g. "../foo/bar".' In bug #578856 (the original bug for CVE-2010-1000) I created a metalink file that used '<file name="../../../tmp/secunia.png">', which as you can see specifically tested if '../' was at the beginning of the string. In fact, I just tested on maverick with the metalink file I provided and when I try to open it, I see kget outputs:
kget(3314): Name attribute of Metalink::File contains directory traversal directives: "../../../tmp/secunia.png"

AFAICS, '../' at the beginning is covered. This is the code in question that was changed:
if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/.."))

Maybe I am blind, but I don't see what the problem is (I also tried metalink files with different combinations of '../' in the path). All I can see is that upstream check if the target file is a directory, and no longer allows '.' in the name. Can you give a string that demonstrates a file traversal/overwrite with the unpatched code?