mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
Fix a potential vulnerability in incoming `pscp -r'. The server
sends filenames of things in the directory being copied. A malicious server could have sent, for example, "..\..\windows\system\foo.dll" and overwritten something crucial. The filenames are now vetted to ensure they don't contain slashes or backslashes. [originally from svn r742]
This commit is contained in:
parent
6eb613e3c4
commit
b78c5699d1
8
scp.c
8
scp.c
@ -582,7 +582,7 @@ static void run_err(const char *fmt, ...)
|
||||
va_list ap;
|
||||
va_start(ap, fmt);
|
||||
errs++;
|
||||
strcpy(str, "\01scp: ");
|
||||
strcpy(str, "scp: ");
|
||||
vsprintf(str+strlen(str), fmt, ap);
|
||||
strcat(str, "\n");
|
||||
back->send(str, strlen(str));
|
||||
@ -824,10 +824,14 @@ static void sink(char *targ)
|
||||
bump("Protocol error: Illegal file descriptor format");
|
||||
if (targisdir) {
|
||||
char t[2048];
|
||||
char *p;
|
||||
strcpy(t, targ);
|
||||
if (targ[0] != '\0')
|
||||
strcat(t, "/");
|
||||
strcat(t, namebuf);
|
||||
p = namebuf + strlen(namebuf);
|
||||
while (p > namebuf && p[-1] != '/' && p[-1] != '\\')
|
||||
p--;
|
||||
strcat(t, p);
|
||||
strcpy(namebuf, t);
|
||||
} else {
|
||||
strcpy(namebuf, targ);
|
||||
|
Loading…
Reference in New Issue
Block a user