From b78c5699d1b071d76af5371aa91ec8f4241eb52d Mon Sep 17 00:00:00 2001 From: Simon Tatham Date: Sat, 21 Oct 2000 17:36:44 +0000 Subject: [PATCH] Fix a potential vulnerability in incoming `pscp -r'. The server sends filenames of things in the directory being copied. A malicious server could have sent, for example, "..\..\windows\system\foo.dll" and overwritten something crucial. The filenames are now vetted to ensure they don't contain slashes or backslashes. [originally from svn r742] --- scp.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/scp.c b/scp.c index 3c3369fe..55fc3f3d 100644 --- a/scp.c +++ b/scp.c @@ -582,7 +582,7 @@ static void run_err(const char *fmt, ...) va_list ap; va_start(ap, fmt); errs++; - strcpy(str, "\01scp: "); + strcpy(str, "scp: "); vsprintf(str+strlen(str), fmt, ap); strcat(str, "\n"); back->send(str, strlen(str)); @@ -824,10 +824,14 @@ static void sink(char *targ) bump("Protocol error: Illegal file descriptor format"); if (targisdir) { char t[2048]; + char *p; strcpy(t, targ); if (targ[0] != '\0') strcat(t, "/"); - strcat(t, namebuf); + p = namebuf + strlen(namebuf); + while (p > namebuf && p[-1] != '/' && p[-1] != '\\') + p--; + strcat(t, p); strcpy(namebuf, t); } else { strcpy(namebuf, targ);