commit 429dd530b43d9d26ca2257dace314a0c7d493638
from: Markus Uhlin <markus@nifty-networks.net>
via: GitHub <noreply@github.com>
date: Sat Aug 16 13:07:29 2025 UTC

Potential fix for code scanning alert no. 5: Uncontrolled data used in path expression

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

commit - e2ad1172cacfb9a83494317428161143e884125f
commit + 429dd530b43d9d26ca2257dace314a0c7d493638
blob - f76c015a1ebcba024acf9d74ed122aa45752dd8c
blob + d8c6a7cd2cf3a870ba82c0baf33275943ea75e79
--- FICS/gamedb.c
+++ FICS/gamedb.c
@@ -1724,6 +1724,12 @@ RemHist(char *who)
 			}
 
 			stolower(Opp);
+			/* Validate Opp before using it as a login */
+			if (strstr(Opp, "..") || strchr(Opp, '/') || strchr(Opp, '\\')) {
+				warnx("%s: invalid Opp value: '%s' (skipping)", __func__, Opp);
+				iter_no++;
+				continue;
+			}
 			oppWhen = OldestHistGame(Opp);
 
 			if (oppWhen > When || oppWhen <= 0L) {