mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-25 09:12:24 +00:00
Fix a potential vulnerability in incoming `pscp -r'. The server
sends filenames of things in the directory being copied. A malicious server could have sent, for example, "..\..\windows\system\foo.dll" and overwritten something crucial. The filenames are now vetted to ensure they don't contain slashes or backslashes. [originally from svn r742]
This commit is contained in:
parent
6eb613e3c4
commit
b78c5699d1
8
scp.c
8
scp.c
@ -582,7 +582,7 @@ static void run_err(const char *fmt, ...)
|
|||||||
va_list ap;
|
va_list ap;
|
||||||
va_start(ap, fmt);
|
va_start(ap, fmt);
|
||||||
errs++;
|
errs++;
|
||||||
strcpy(str, "\01scp: ");
|
strcpy(str, "scp: ");
|
||||||
vsprintf(str+strlen(str), fmt, ap);
|
vsprintf(str+strlen(str), fmt, ap);
|
||||||
strcat(str, "\n");
|
strcat(str, "\n");
|
||||||
back->send(str, strlen(str));
|
back->send(str, strlen(str));
|
||||||
@ -824,10 +824,14 @@ static void sink(char *targ)
|
|||||||
bump("Protocol error: Illegal file descriptor format");
|
bump("Protocol error: Illegal file descriptor format");
|
||||||
if (targisdir) {
|
if (targisdir) {
|
||||||
char t[2048];
|
char t[2048];
|
||||||
|
char *p;
|
||||||
strcpy(t, targ);
|
strcpy(t, targ);
|
||||||
if (targ[0] != '\0')
|
if (targ[0] != '\0')
|
||||||
strcat(t, "/");
|
strcat(t, "/");
|
||||||
strcat(t, namebuf);
|
p = namebuf + strlen(namebuf);
|
||||||
|
while (p > namebuf && p[-1] != '/' && p[-1] != '\\')
|
||||||
|
p--;
|
||||||
|
strcat(t, p);
|
||||||
strcpy(namebuf, t);
|
strcpy(namebuf, t);
|
||||||
} else {
|
} else {
|
||||||
strcpy(namebuf, targ);
|
strcpy(namebuf, targ);
|
||||||
|
Loading…
Reference in New Issue
Block a user