Bug - Fixed Potentially abusable lack of validation in map_to_file?

map_to_file doesn't validate the filename parameter, so you can traverse the directory tree upwards with "..". If mafia is in a directory upon which you have write access, you can create new and change arbitrary existing files trivially in the Mafia dir, and potentially anything on the same partition. That's not very good.

Digging around, http://kolmafia.us/showthread.php?10838-11348-Fix-directory-traversal-exploit-Disallow-scripts-from-writing-a-data-file-wi looks like it once fixed something like this, except no more. (Can traverse directories, including outside the mafia directory, and you can write to all files including .ash.)

Apparently Roippi has moderated this thread. I believe that means that regular users cannot see it. Probably a wise idea. I'm just pointing this out in case other Minions don't notice that fact and worry that we are exposing this security breach to the general population.

Hopefully it will be fixed soon.

I believe I fixed this with 15780. I'm more worried that I broke something else in the process than I am about any remaining security issue.

Should we mark this fixed?