From 18d7998008f210b4b90118c0a982b9f7974a77f7 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Tue, 23 Oct 2018 18:05:58 +0100
Subject: [PATCH] pscp: extra security check in SCP mode.

When you don't specify -r, we now check whether the server is sending
a whole subdirectory in place of a single file, and abort if it does.
Previously we'd accept the subdirectory download regardless.

The new error message labels this as a security violation, just on the
grounds that it involves the server doing something other than what
the implicit contract suggested it ought to, but I don't think it's a
really serious violation in the same sense as letting the server cd
into ".." or overwrite files of arbitrary name would be. In this case
it can only leave a downloaded thing in the specific place you already
authorised it to put _some_ downloaded thing - it's just returned you
a directory in place of a file.
---
 pscp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/pscp.c b/pscp.c
index d7efd147..230d8c5e 100644
--- a/pscp.c
+++ b/pscp.c
@@ -1456,6 +1456,10 @@ int scp_get_sink_action(struct scp_sink_action *act)
 	      case 'C':
 	      case 'D':
 		act->action = (action == 'C' ? SCP_SINK_FILE : SCP_SINK_DIR);
+                if (act->action == SCP_SINK_DIR && !recursive) {
+                    bump("security violation: remote host attempted to create "
+                         "a subdirectory in a non-recursive copy!");
+                }
 		break;
 	      default:
 		bump("Protocol error: Expected control record");