Prevent files from getting installed outside the install root

That was possible by using ".." in install dir or install prefix.

Task-number: QTCREATORBUG-17790
Change-Id: Ib947b11fe361bc061c40b651a0f4a5a4dd7b3074
Reviewed-by: Jake Petroules <jake.petroules@qt.io>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>

2 files changed, 7 insertions, 1 deletions

diff --git a/src/lib/corelib/buildgraph/productinstaller.cpp b/src/lib/corelib/buildgraph/productinstaller.cpp
index d0d6dab55..935bdd0b1 100644
--- a/src/lib/corelib/buildgraph/productinstaller.cpp
+++ b/src/lib/corelib/buildgraph/productinstaller.cpp
@@ -131,6 +131,12 @@ QString ProductInstaller::targetFilePath(const TopLevelProject *project,
 
     QString targetFilePath;
     if (installSourceBase.isEmpty()) {
+        if (!targetDir.startsWith(options.installRoot())) {
+            throw ErrorInfo(Tr::tr("Cannot install '%1', because target directory '%2' "
+                                   "is outside of install root '%3'")
+                            .arg(sourceFilePath, targetDir, options.installRoot()));
+        }
+
         // This has the same effect as if installSourceBase would equal the directory of the file.
         targetFilePath = FileInfo::fileName(sourceFilePath);
     } else {
diff --git a/src/lib/corelib/tools/installoptions.cpp b/src/lib/corelib/tools/installoptions.cpp
index 1eb9a770d..b1d3bf439 100644
--- a/src/lib/corelib/tools/installoptions.cpp
+++ b/src/lib/corelib/tools/installoptions.cpp
@@ -128,7 +128,7 @@ QString InstallOptions::installRoot() const
  */
 void InstallOptions::setInstallRoot(const QString &installRoot)
 {
-    d->installRoot = installRoot;
+    d->installRoot = QDir::cleanPath(installRoot);
     if (!QDir(installRoot).isRoot()) {
         while (d->installRoot.endsWith(QLatin1Char('/')))
             d->installRoot.chop(1);