[openssh-commits] [openssh] 01/01: on Cygwin, check paths from server for backslashes

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Mar 20 12:01:02 AEDT 2017


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 89f04852db27643717c9c3a2b0dde97ae50099ee
Author: Damien Miller <djm at mindrot.org>
Date:   Mon Mar 20 11:53:34 2017 +1100

    on Cygwin, check paths from server for backslashes
    
    Pointed out by Jann Horn of Google Project Zero
---
 sftp-client.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/sftp-client.c b/sftp-client.c
index d47be0e..a6e8322 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -67,6 +67,13 @@ extern int showprogress;
 /* Maximum depth to descend in directory trees */
 #define MAX_DIR_DEPTH 64
 
+/* Directory separator characters */
+#ifdef HAVE_CYGWIN
+# define SFTP_DIRECTORY_CHARS      "/\\"
+#else /* HAVE_CYGWIN */
+# define SFTP_DIRECTORY_CHARS      "/"
+#endif /* HAVE_CYGWIN */
+
 struct sftp_conn {
 	int fd_in;
 	int fd_out;
@@ -619,7 +626,7 @@ do_lsreaddir(struct sftp_conn *conn, const char *path, int print_flag,
 			 * These can be used to attack recursive ops
 			 * (e.g. send '../../../../etc/passwd')
 			 */
-			if (strchr(filename, '/') != NULL) {
+			if (strpbrk(filename, SFTP_DIRECTORY_CHARS) != NULL) {
 				error("Server sent suspect path \"%s\" "
 				    "during readdir of \"%s\"", filename, path);
 			} else if (dir) {

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list