From 71bcc79c20199723e2a906915275938635e2d9a0 Mon Sep 17 00:00:00 2001
From: Dan Puttick <dputtick@users.noreply.github.com>
Date: Thu, 16 Mar 2017 12:22:26 -0400
Subject: [PATCH 1/2] Remove rtl override char from file dst_path

The unicode right to left override character can be used for various attacks.
This commit:
* Detects this character in the filename on the source key
* Strips it from the path before copying it to the dest key
* Marks the file as dangerous (this character doesn't belong in a filename)
---
 bin/filecheck.py | 33 +++++++++++++++++++++++++--------
 1 file changed, 25 insertions(+), 8 deletions(-)

diff --git a/bin/filecheck.py b/bin/filecheck.py
index 3dc26dd..da7e00b 100644
--- a/bin/filecheck.py
+++ b/bin/filecheck.py
@@ -130,11 +130,14 @@ class File(FileBase):
             self.make_dangerous('malicious_extension')
 
     def _check_extension(self):
-        """Guesses the file's mimetype based on its extension. If the file's
-        mimetype (as determined by libmagic) is contained in the mimetype
-        module's list of valid mimetypes and the expected mimetype based on its
-        extension differs from the mimetype determined by libmagic, then it
-        marks the file as dangerous."""
+        """
+        Guess the file's mimetype based on its extension.
+
+        If the file's mimetype (as determined by libmagic) is contained in
+        the `mimetype` module's list of valid mimetypes and the expected
+        mimetype based on its extension differs from the mimetype determined
+        by libmagic, then mark the file as dangerous.
+        """
         if self.extension in Config.override_ext:
             expected_mimetype = Config.override_ext[self.extension]
         else:
@@ -148,9 +151,12 @@ class File(FileBase):
             self.make_dangerous('expected_mimetype')
 
     def _check_mimetype(self):
-        """Takes the mimetype (as determined by libmagic) and determines
-        whether the list of extensions that are normally associated with
-        that extension contains the file's actual extension."""
+        """
+        Compare mimetype (as determined by libmagic) to extension.
+
+        Determine whether the extension that are normally associated with
+        the mimetype include the file's actual extension.
+        """
         if self.mimetype in Config.aliases:
             mimetype = Config.aliases[self.mimetype]
         else:
@@ -162,8 +168,19 @@ class File(FileBase):
                 # LOG: improve this string
                 self.make_dangerous('expected extensions')
 
+    def _check_filename(self):
+        if self.filename[0] is '.':
+            # handle dotfiles
+            pass
+        right_to_left_override = u"\u202E"
+        if right_to_left_override in self.filename:
+            self.make_dangerous('Filename contains dangerous character')
+            self.dst_path = self.dst_path.replace(right_to_left_override, '')
+            # TODO: change self.filename and'filename' property?
+
     def check(self):
         self._check_dangerous()
+        self._check_filename()
         if self.has_extension:
             self._check_extension()
         if self.has_mimetype:

From 2a5decf0ad2defa99bd71ce78748956701ecf85f Mon Sep 17 00:00:00 2001
From: Dan Puttick <dputtick@users.noreply.github.com>
Date: Thu, 16 Mar 2017 17:34:20 -0400
Subject: [PATCH 2/2] Add rtl sample file to src_invalid

---
 tests/src_invalid/testRTL‮exe.txt | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 tests/src_invalid/testRTL‮exe.txt

diff --git a/tests/src_invalid/testRTL‮exe.txt b/tests/src_invalid/testRTL‮exe.txt
new file mode 100644
index 0000000..3933f42
--- /dev/null
+++ b/tests/src_invalid/testRTL‮exe.txt
@@ -0,0 +1 @@
+RTL test file generated by D. Puttick
\ No newline at end of file