Reported by MrSynAckster. A specifically crafted NAND dump could use
path traversal to overwrite files on the host file system.
This is also an accuracy fix for importing NAND dumps that contain
file names that Dolphin is supposed to escape. Some games' save files
are affected.
GetPath has two special cases where it doesn't add a slash.
The first is for the root entry's special name "/". The next commit will
be neater if we can skip calling GetPath for the root entry, because '/'
is one of the characters that Common::EscapeFileName replaces with an
escape sequence. Let's check for entry number 0 instead.
The second is for parent paths that already end in a slash. There's no
actual need to check for this - double slashes are harmless, and for
comparison, NANDImporter::ExtractCertificates already appends slashes
without checking if there already is one. Let's remove this check.
Now with cancel button and an actual progress bar. For simplicity, we do
two passes on the progress bar, one for loading the NAND into memory and
one for extracting it. The user directory is likely on an SSD, making
the extraction pass invisibly fast.
SPDX standardizes how source code conveys its copyright and licensing
information. See https://spdx.github.io/spdx-spec/1-rationale/ . SPDX
tags are adopted in many large projects, including things like the Linux
kernel.
We want to use positional arguments in translatable strings
that have more than one argument so that translators can change
the order of them, but the question is: Should we also use
positional arguments in translatable strings with only one
argument? I think it makes most sense that way, partially
so that translators don't even have to be aware of the
non-positional syntax and partially because "translatable
strings use positional arguments" is an easier rule for us
to remember than "transitional strings which have more than
one argument use positional arguments". But let me know if
you have a different opinion.
Once nice benefit of fmt is that we can use positional arguments
in localizable strings. This a feature which has been
requested for the Korean translation of strings like
"Errors were found in %zu blocks in the %s partition."
and which will no doubt be useful for other languages too.
Use std::string(cstring, strnlen(cstring, max_length)) instead of
trying to remove extra null characters manually, which is a bit
ugly and error prone.
And indeed, the original code contained a bug which would cause
extra NULLs to not be removed at all if the string did not
end with a NULL -- causing issues down the road when constructing
paths for sub-entries.
gcc complains that the printf %x formatting instruction expects an
'unsigned int' but we pass a 'size_t'. We add the 'z' length formatting
specifier used for 'size_t'
Fixes warning:
```
Source/Core/DiscIO/NANDImporter.cpp:55:17: warning: format specifies type 'unsigned long' but the argument has type 'u64' (aka 'unsigned long long') [-Wformat]
file.GetSize(), NAND_BIN_SIZE);
^~~~~~~~~~~~~~
1 warning generated.
```
