diff options
author | Damien Miller <djm@mindrot.org> | 2017-03-20 11:53:34 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2017-03-20 11:53:34 +1100 |
commit | 89f04852db27643717c9c3a2b0dde97ae50099ee (patch) | |
tree | 3b3bbd73858471e6a5b3bf49965b453ca46c363c | |
parent | 7ef1f9bafc2cc8d97ff2fbd4f280002b6e8ea5d9 (diff) | |
download | openssh-git-89f04852db27643717c9c3a2b0dde97ae50099ee.tar.gz |
on Cygwin, check paths from server for backslashes
Pointed out by Jann Horn of Google Project Zero
-rw-r--r-- | sftp-client.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/sftp-client.c b/sftp-client.c index d47be0ea..a6e83227 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -67,6 +67,13 @@ extern int showprogress; /* Maximum depth to descend in directory trees */ #define MAX_DIR_DEPTH 64 +/* Directory separator characters */ +#ifdef HAVE_CYGWIN +# define SFTP_DIRECTORY_CHARS "/\\" +#else /* HAVE_CYGWIN */ +# define SFTP_DIRECTORY_CHARS "/" +#endif /* HAVE_CYGWIN */ + struct sftp_conn { int fd_in; int fd_out; @@ -619,7 +626,7 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag, * These can be used to attack recursive ops * (e.g. send '../../../../etc/passwd') */ - if (strchr(filename, '/') != NULL) { + if (strpbrk(filename, SFTP_DIRECTORY_CHARS) != NULL) { error("Server sent suspect path \"%s\" " "during readdir of \"%s\"", filename, path); } else if (dir) { |