on Cygwin, check paths from server for backslashes

Pointed out by Jann Horn of Google Project Zero
author: Damien Miller <djm@mindrot.org> 2017-03-20 11:53:34 +1100
committer: Damien Miller <djm@mindrot.org> 2017-03-20 11:53:34 +1100
commit: 89f04852db27643717c9c3a2b0dde97ae50099ee (patch)
tree: 3b3bbd73858471e6a5b3bf49965b453ca46c363c
parent: 7ef1f9bafc2cc8d97ff2fbd4f280002b6e8ea5d9 (diff)
download: openssh-git-89f04852db27643717c9c3a2b0dde97ae50099ee.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/sftp-client.c b/sftp-client.c
index d47be0ea..a6e83227 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -67,6 +67,13 @@ extern int showprogress;
 /* Maximum depth to descend in directory trees */
 #define MAX_DIR_DEPTH 64
 
+/* Directory separator characters */
+#ifdef HAVE_CYGWIN
+# define SFTP_DIRECTORY_CHARS      "/\\"
+#else /* HAVE_CYGWIN */
+# define SFTP_DIRECTORY_CHARS      "/"
+#endif /* HAVE_CYGWIN */
+
 struct sftp_conn {
 	int fd_in;
 	int fd_out;
@@ -619,7 +626,7 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag,
 			 * These can be used to attack recursive ops
 			 * (e.g. send '../../../../etc/passwd')
 			 */
-			if (strchr(filename, '/') != NULL) {
+			if (strpbrk(filename, SFTP_DIRECTORY_CHARS) != NULL) {
 				error("Server sent suspect path \"%s\" "
 				    "during readdir of \"%s\"", filename, path);
 			} else if (dir) {
author	Damien Miller <djm@mindrot.org>	2017-03-20 11:53:34 +1100
committer	Damien Miller <djm@mindrot.org>	2017-03-20 11:53:34 +1100
commit	89f04852db27643717c9c3a2b0dde97ae50099ee (patch)
tree	3b3bbd73858471e6a5b3bf49965b453ca46c363c
parent	7ef1f9bafc2cc8d97ff2fbd4f280002b6e8ea5d9 (diff)
download	openssh-git-89f04852db27643717c9c3a2b0dde97ae50099ee.tar.gz