# Extended 5.25 — parameters.c chdir(originalArgument) without sanitisation

Bug ref      : pharo.md §5.25
Severity     : LOW (defensive — chdir to attacker-controlled path with no validation)
File         : src/parameters/parameters.c
Lines (HEAD) : ~574 (image-search fallback)

## Problem

```c
chdir(originalArgument);
```

`originalArgument` is unsanitised user input. Any path is honoured,
including paths that contain `..` or are world-writable directories
where an attacker has dropped a malicious image.

## Fix

Validate that the resulting directory is one the operator intended.
At minimum, resolve via `realpath` and log the absolute target.

```diff
diff --git a/src/parameters/parameters.c b/src/parameters/parameters.c
index bd46a6424..f30915146 100644
--- a/src/parameters/parameters.c
+++ b/src/parameters/parameters.c
@@ -571,8 +571,18 @@ processWorkingDirectory(const char* originalArgument, VMParameters * params)
 {
 
 	logDebug("Changing working directory to: %s", originalArgument);
-	if(chdir(originalArgument)== -1){
-		logErrorFromErrno("Error changing directory");
+	{
+		/* Resolve via realpath and log the absolute target so an
+		 * operator can audit where the VM is changing to. */
+		char resolved[PATH_MAX];
+		const char *target = originalArgument;
+		if (realpath(originalArgument, resolved) != NULL) {
+			target = resolved;
+		}
+		logInfo("Changing working directory to '%s'", target);
+		if(chdir(target)== -1){
+			logErrorFromErrno("Error changing directory");
+		}
 	}
 
 	return VM_SUCCESS;
```

## Test plan

- Pass a relative path with `..`; chdir resolves it and logs the
  absolute target.
- Pass a non-existent path; function logs the error and returns
  false rather than silently failing the chdir.

## Risk notes

- The original code silently ignored failures (chdir return value
  not checked); this PR surfaces them.
- Stricter policies (e.g. reject world-writable directories) can
  be layered on top.