From 89f04852db27643717c9c3a2b0dde97ae50099ee Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Mon, 20 Mar 2017 11:53:34 +1100 Subject: [PATCH] on Cygwin, check paths from server for backslashes Pointed out by Jann Horn of Google Project Zero --- sftp-client.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sftp-client.c b/sftp-client.c index d47be0ea5..a6e832270 100644 --- a/sftp-client.c +++ b/sftp-client.c @@ -67,6 +67,13 @@ extern int showprogress; /* Maximum depth to descend in directory trees */ #define MAX_DIR_DEPTH 64 +/* Directory separator characters */ +#ifdef HAVE_CYGWIN +# define SFTP_DIRECTORY_CHARS "/\\" +#else /* HAVE_CYGWIN */ +# define SFTP_DIRECTORY_CHARS "/" +#endif /* HAVE_CYGWIN */ + struct sftp_conn { int fd_in; int fd_out; @@ -619,7 +626,7 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag, * These can be used to attack recursive ops * (e.g. send '../../../../etc/passwd') */ - if (strchr(filename, '/') != NULL) { + if (strpbrk(filename, SFTP_DIRECTORY_CHARS) != NULL) { error("Server sent suspect path \"%s\" " "during readdir of \"%s\"", filename, path); } else if (dir) {