From 0c8da36a0bf8c9aec74db7ed8f31c9c1c2eb13f8 Mon Sep 17 00:00:00 2001
From: Alibek Omarov <a1ba.omarov@gmail.com>
Date: Sun, 23 Feb 2025 03:13:46 +0300
Subject: [PATCH] filesystem: disallow path traversal in FS_Delete and
 FS_Rename

---
 filesystem/filesystem.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/filesystem/filesystem.c b/filesystem/filesystem.c
index c1a749e6..bbb01700 100644
--- a/filesystem/filesystem.c
+++ b/filesystem/filesystem.c
@@ -3119,6 +3119,10 @@ qboolean FS_Rename( const char *oldname, const char *newname )
 	char oldname2[MAX_SYSPATH], newname2[MAX_SYSPATH], oldpath[MAX_SYSPATH], newpath[MAX_SYSPATH];
 	int ret;
 
+	// a1ba: disallow path traversal
+	if( FS_CheckNastyPath( oldname ) || FS_CheckNastyPath( newname ))
+		return false;
+
 	if( !fs_writepath )
 		return false;
 
@@ -3167,6 +3171,10 @@ qboolean GAME_EXPORT FS_Delete( const char *path )
 	char path2[MAX_SYSPATH], real_path[MAX_SYSPATH];
 	int ret;
 
+	// a1ba: disallow path traversal
+	if( FS_CheckNastyPath( path ))
+		return false;
+
 	if( !fs_writepath || !COM_CheckString( path ))
 		return false;