flute-receiver example writes files insecurely and may crash

[ypo]

Overview
The flute-receiver example writes the received files to a blind location, which lead to security concern and stability issues

rt-libflute/examples/flute-receiver.cpp

Lines 166 to 167 in 56c927f

	FILE* fd = fopen(file->meta().content_location.c_str(), "wb");
	fwrite(file->buffer(), 1, file->length(), fd);

Bugs

1. Files are written directly using the Content-Location value. A malicious FLUTE stream could forge a Content-Location to potentially overwrite arbitrary files on the receiver.

2. Content-Location is a URI, but the code uses it as-is for the file path. Content-Location should be parsed, probably the path of the URI should be used to create the file path.

3. After opening a file, the code does not check whether the file descriptor is valid. This leads to crash if the file fails to open.

New Feature

It could be nice to have an option to select to which folder files are written

[rjb1000]

Seems like an interesting issue for wider discussion.

[davidjwbbc]

Although this could be a concern, also consider that these are just example programs and so are not product ready. The examples are only to demonstrate using the library for transmission and reception. Certainly in a production ready application you screen all inputs and catch misuse, but for these examples it's probably not worth trying to security harden them.

For each bug:

1. You could use the realpath() function (see man page realpath(3)) to resolve the storage directory and file path to ensure that the file path starts with the storage directory path. You'd also need to ensure that the directory part of the file path also exists.
2. A URI may be relative, and the current example relies on this being expressed as a single name relative path (as used by the flute-transmitter example). Possibly a safer way to use this would be to parse as a URI and just take the final path element. This would also mitigate bug 1.
3. There probably should be some error handling code on both the fopen() and fwrite() to report errors and handle them appropriately.

A command line option to pick a destination folder, rather than the current directory, would be nice. Until now I've created a storage directory and cd'd into it before running the receiver in order to keep the received files away for the rest of the file system.

[davidjwbbc]

Option 2 from above has been implemented by @dsilhavy in PR #45 when an output directory is specified.