From 170c75784cd5c729fe33254412ebf4f03f0b450f Mon Sep 17 00:00:00 2001
From: n7800 <14154601-n7800@users.noreply.gitlab.com>
Date: Mon, 20 Jan 2025 01:28:10 +0500
Subject: [PATCH] LazUtils/TryCreateRelativePath: Improved checking for double
 period (indicating parent folder) in paths

---
 components/lazutils/lazfileutils.inc | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/components/lazutils/lazfileutils.inc b/components/lazutils/lazfileutils.inc
index f41b3e8a02..b42404aa8f 100644
--- a/components/lazutils/lazfileutils.inc
+++ b/components/lazutils/lazfileutils.inc
@@ -217,7 +217,7 @@ end;
   is not threadsafe (at least on Windows platform)
 
   - Dest and Source must either be both absolute filenames, or relative
-  - Dest and Source cannot contain '..' since no expanding is done by design
+  - Dest and Source cannot contain '/../' since no expanding is done by design
   - Dest and Source must be on same drive or UNC path (Windows)
   - if both Dest and Source are relative they must at least share their base directory
   - Double PathDelims are ignored (unless they are part of the UNC convention)
@@ -298,7 +298,10 @@ var
 begin
   Result := False;
   if (Dest = '') or (Source = '') then Exit;
-  if (Pos('..',Dest) > 0) or (Pos('..',Source) > 0) then Exit;
+  // double period components (meaning parent directory) are not allowed in input
+  if Pos('/../', '/' + SwitchPathDelims(Source, pdsUnix) + '/') > 0 then Exit;
+  if Pos('/../', '/' + SwitchPathDelims(Dest  , pdsUnix) + '/') > 0 then Exit;
+
   SourceRoot := ExtractFileRoot(Source);
   DestRoot := ExtractFileRoot(Dest);
   //debugln('TryCreaterelativePath: DestRoot = "',DestRoot,'"');