commit e237eae01f3b65afd11a09b805637ba562108036
from: Markus Uhlin <markus@nifty-networks.net>
via: GitHub <noreply@github.com>
date: Sat Aug 16 13:09:36 2025 UTC

Merge pull request #6 from uhlin/alert-autofix-5

Potential fix for code scanning alert no. 5: Uncontrolled data used in path expression

commit - e2ad1172cacfb9a83494317428161143e884125f
commit + e237eae01f3b65afd11a09b805637ba562108036
blob - f76c015a1ebcba024acf9d74ed122aa45752dd8c
blob + d8c6a7cd2cf3a870ba82c0baf33275943ea75e79
--- FICS/gamedb.c
+++ FICS/gamedb.c
@@ -1724,6 +1724,12 @@ RemHist(char *who)
 			}
 
 			stolower(Opp);
+			/* Validate Opp before using it as a login */
+			if (strstr(Opp, "..") || strchr(Opp, '/') || strchr(Opp, '\\')) {
+				warnx("%s: invalid Opp value: '%s' (skipping)", __func__, Opp);
+				iter_no++;
+				continue;
+			}
 			oppWhen = OldestHistGame(Opp);
 
 			if (oppWhen > When || oppWhen <= 0L) {