From a16128655fed37a3975fdb8ea0d31ef0fa29e882 Mon Sep 17 00:00:00 2001
From: Ryan Lortie <desrt@desrt.ca>
Date: Fri, 2 Jul 2010 11:35:43 -0400
Subject: [PATCH] Bug 623407 - g_keyfile_settings_backend_new crash

The keyfile backend forms paths like this:

  prefix + group_name + '/' + keyname

If the prefix is '/apps/yelp/' and the group name is '/' then this means
that we end up with a key name of (for example):

  '/apps/yelp/' + '/' + '/' + 'font-adjustment'

= '/apps/yelp///font-adjustment'

which is obviously not a valid key name.

This patch rejects group names starting or ending with '/' or containing
'//' and also rejects keys containing '/'.  This should make it
impossible for invalid keys to be formed.
---
 gio/gkeyfilesettingsbackend.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/gio/gkeyfilesettingsbackend.c b/gio/gkeyfilesettingsbackend.c
index 94cccedba..0306585ad 100644
--- a/gio/gkeyfilesettingsbackend.c
+++ b/gio/gkeyfilesettingsbackend.c
@@ -400,12 +400,23 @@ keyfile_to_tree (GKeyfileSettingsBackend *kfsb,
       gint j;
 
       is_root_group = g_strcmp0 (kfsb->root_group, groups[i]) == 0;
+
+      /* reject group names that will form invalid key names */
+      if (!is_root_group &&
+          (g_str_has_prefix (groups[i], "/") ||
+           g_str_has_suffix (groups[i], "/") || strstr (groups[i], "//")))
+        continue;
+
       keys = g_key_file_get_keys (keyfile, groups[i], NULL, NULL);
 
       for (j = 0; keys[j]; j++)
         {
           gchar *path, *value;
 
+          /* reject key names with slashes in them */
+          if (strchr (keys[j], '/'))
+            continue;
+
           if (is_root_group)
             path = g_strdup_printf ("%s%s", kfsb->prefix, keys[j]);
           else