Prevent files from getting installed outside the install root

That was possible by using ".." in install dir or install prefix.

Task-number: QTCREATORBUG-17790
Change-Id: Ib947b11fe361bc061c40b651a0f4a5a4dd7b3074
Reviewed-by: Jake Petroules <jake.petroules@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>

6 files changed, 29 insertions, 1 deletions

diff --git a/src/lib/corelib/buildgraph/productinstaller.cpp b/src/lib/corelib/buildgraph/productinstaller.cpp
index d0d6dab55..935bdd0b1 100644
--- a/src/lib/corelib/buildgraph/productinstaller.cpp
+++ b/src/lib/corelib/buildgraph/productinstaller.cpp
@@ -131,6 +131,12 @@ QString ProductInstaller::targetFilePath(const TopLevelProject *project,
 
     QString targetFilePath;
     if (installSourceBase.isEmpty()) {
+        if (!targetDir.startsWith(options.installRoot())) {
+            throw ErrorInfo(Tr::tr("Cannot install '%1', because target directory '%2' "
+                                   "is outside of install root '%3'")
+                            .arg(sourceFilePath, targetDir, options.installRoot()));
+        }
+
         // This has the same effect as if installSourceBase would equal the directory of the file.
         targetFilePath = FileInfo::fileName(sourceFilePath);
     } else {
diff --git a/src/lib/corelib/tools/installoptions.cpp b/src/lib/corelib/tools/installoptions.cpp
index 1eb9a770d..b1d3bf439 100644
--- a/src/lib/corelib/tools/installoptions.cpp
+++ b/src/lib/corelib/tools/installoptions.cpp
@@ -128,7 +128,7 @@ QString InstallOptions::installRoot() const
  */
 void InstallOptions::setInstallRoot(const QString &installRoot)
 {
-    d->installRoot = installRoot;
+    d->installRoot = QDir::cleanPath(installRoot);
     if (!QDir(installRoot).isRoot()) {
         while (d->installRoot.endsWith(QLatin1Char('/')))
             d->installRoot.chop(1);
diff --git a/tests/auto/blackbox/testdata/invalid-install-dir/invalid-install-dir.qbs b/tests/auto/blackbox/testdata/invalid-install-dir/invalid-install-dir.qbs
new file mode 100644
index 000000000..f4a608904
--- /dev/null
+++ b/tests/auto/blackbox/testdata/invalid-install-dir/invalid-install-dir.qbs
@@ -0,0 +1,11 @@
+import qbs
+
+CppApplication {
+    consoleApplication: true
+    files: ["main.cpp"]
+    Group {
+        fileTagsFilter: ["application"]
+        qbs.install: true
+        qbs.installDir: "../whatever"
+    }
+}
diff --git a/tests/auto/blackbox/testdata/invalid-install-dir/main.cpp b/tests/auto/blackbox/testdata/invalid-install-dir/main.cpp
new file mode 100644
index 000000000..237c8ce18
--- /dev/null
+++ b/tests/auto/blackbox/testdata/invalid-install-dir/main.cpp
@@ -0,0 +1 @@
+int main() {}
diff --git a/tests/auto/blackbox/tst_blackbox.cpp b/tests/auto/blackbox/tst_blackbox.cpp
index 0bf85adb2..bf1b16ad2 100644
--- a/tests/auto/blackbox/tst_blackbox.cpp
+++ b/tests/auto/blackbox/tst_blackbox.cpp
@@ -2929,6 +2929,15 @@ void TestBlackbox::invalidExtensionInstantiation_data()
     QTest::newRow("Utilities");
 }
 
+void TestBlackbox::invalidInstallDir()
+{
+    QDir::setCurrent(testDataDir + "/invalid-install-dir");
+    QbsRunParameters params;
+    params.expectFailure = true;
+    QVERIFY(runQbs(params) != 0);
+    QVERIFY2(m_qbsStderr.contains("outside of install root"), m_qbsStderr.constData());
+}
+
 void TestBlackbox::cli()
 {
     int status;
diff --git a/tests/auto/blackbox/tst_blackbox.h b/tests/auto/blackbox/tst_blackbox.h
index 6cb6354a3..0d13ac942 100644
--- a/tests/auto/blackbox/tst_blackbox.h
+++ b/tests/auto/blackbox/tst_blackbox.h
@@ -104,6 +104,7 @@ private slots:
     void invalidCommandProperty();
     void invalidExtensionInstantiation();
     void invalidExtensionInstantiation_data();
+    void invalidInstallDir();
     void invalidLibraryNames();
     void invalidLibraryNames_data();
     void jsExtensionsFile();