1
0
mirror of https://git.tartarus.org/simon/putty.git synced 2025-01-25 09:12:24 +00:00

Fix a potential vulnerability in incoming `pscp -r'. The server

sends filenames of things in the directory being copied. A malicious
server could have sent, for example, "..\..\windows\system\foo.dll"
and overwritten something crucial. The filenames are now vetted to
ensure they don't contain slashes or backslashes.

[originally from svn r742]
This commit is contained in:
Simon Tatham 2000-10-21 17:36:44 +00:00
parent 6eb613e3c4
commit b78c5699d1

8
scp.c
View File

@ -582,7 +582,7 @@ static void run_err(const char *fmt, ...)
va_list ap; va_list ap;
va_start(ap, fmt); va_start(ap, fmt);
errs++; errs++;
strcpy(str, "\01scp: "); strcpy(str, "scp: ");
vsprintf(str+strlen(str), fmt, ap); vsprintf(str+strlen(str), fmt, ap);
strcat(str, "\n"); strcat(str, "\n");
back->send(str, strlen(str)); back->send(str, strlen(str));
@ -824,10 +824,14 @@ static void sink(char *targ)
bump("Protocol error: Illegal file descriptor format"); bump("Protocol error: Illegal file descriptor format");
if (targisdir) { if (targisdir) {
char t[2048]; char t[2048];
char *p;
strcpy(t, targ); strcpy(t, targ);
if (targ[0] != '\0') if (targ[0] != '\0')
strcat(t, "/"); strcat(t, "/");
strcat(t, namebuf); p = namebuf + strlen(namebuf);
while (p > namebuf && p[-1] != '/' && p[-1] != '\\')
p--;
strcat(t, p);
strcpy(namebuf, t); strcpy(namebuf, t);
} else { } else {
strcpy(namebuf, targ); strcpy(namebuf, targ);