From e8a9e452915b034be9dbeaceee6afa14a323f9b3 Mon Sep 17 00:00:00 2001
From: SomberNight <somber.night@protonmail.com>
Date: Tue, 28 May 2024 14:20:28 +0000
Subject: [PATCH] qml wizard: even stricter validation for new wallet name

related: https://github.com/spesmilo/electrum/commit/07dc80dd9a21df820a3de3ea0cb1768c74aeab9d
---
 electrum/gui/qml/qewizard.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/electrum/gui/qml/qewizard.py b/electrum/gui/qml/qewizard.py
index b49d56349..7ca8841ff 100644
--- a/electrum/gui/qml/qewizard.py
+++ b/electrum/gui/qml/qewizard.py
@@ -130,8 +130,13 @@ class QENewWalletWizard(NewWalletWizard, QEAbstractWizard):
             return False
         wallet_path = self._wallet_path_from_wallet_name(wallet_name)
         # note: we should probably restrict wallet names to be alphanumeric (plus underscore, etc)...
-        #       wallet_name might contain ".." (etc) and hence sketchy path traversals are possible.
-        #       Anyway, this at least validates that the path looks sane to the filesystem:
+        # try to prevent sketchy path traversals:
+        for forbidden_char in ("/", "\\", ):
+            if forbidden_char in wallet_name:
+                return False
+        if os.path.basename(wallet_name) != wallet_name:
+            return False
+        # validate that the path looks sane to the filesystem:
         try:
             temp_storage = WalletStorage(wallet_path)
         except (StorageReadWriteError, WalletFileException) as e: