Ooh. Actually, that vulnerability is further-reaching than I

[u/mdw/putty] / scp.c

diff --git a/scp.c b/scp.c
index caf06d6..401d444 100644 (file)
--- a/scp.c
+++ b/scp.c
@@ -65,7 +65,7 @@ static char *gui_hwnd = NULL;
 
 static void source(char *src);
 static void rsource(char *src);
-static void sink(char *targ);
+static void sink(char *targ, char *src);
 /* GUI Adaptation - Sept 2000 */
 static void tell_char(FILE *stream, char c);
 static void tell_str(FILE *stream, char *str);
@@ -246,20 +246,25 @@ void connection_fatal(char *fmt, ...)
  * is available.
  *
  * To do this, we repeatedly call the SSH protocol module, with our
- * own trap in term_out() to catch the data that comes back. We do
- * this until we have enough data.
+ * own trap in from_backend() to catch the data that comes back. We
+ * do this until we have enough data.
  */
 static unsigned char *outptr;          /* where to put the data */
 static unsigned outlen;                /* how much data required */
 static unsigned char *pending = NULL;  /* any spare data */
 static unsigned pendlen=0, pendsize=0; /* length and phys. size of buffer */
-void term_out(void) {
+void from_backend(int is_stderr, char *data, int datalen) {
+    unsigned char *p = (unsigned char *)data;
+    unsigned len = (unsigned)datalen;
+
     /*
-     * Here we must deal with a block of data, in `inbuf', size
-     * `inbuf_head'.
+     * stderr data is just spouted to local stderr and otherwise
+     * ignored.
      */
-    unsigned char *p = inbuf;
-    unsigned len = inbuf_head;
+    if (is_stderr) {
+       fwrite(data, 1, len, stderr);
+       return;
+    }
 
     inbuf_head = 0;
 
@@ -329,7 +334,6 @@ static int ssh_scp_recv(unsigned char *buf, int len) {
         if (select(1, &readfds, NULL, NULL, NULL) < 0)
             return 0;                  /* doom */
         back->msg(0, FD_READ);
-        term_out();
     }
 
     return len;
@@ -351,7 +355,6 @@ static void ssh_scp_init(void) {
         if (select(1, &readfds, NULL, NULL, NULL) < 0)
             return;                    /* doom */
         back->msg(0, FD_READ);
-        term_out();
     }
 }
 
@@ -579,7 +582,7 @@ static void run_err(const char *fmt, ...)
     va_list ap;
     va_start(ap, fmt);
     errs++;
-    strcpy(str, "\01scp: ");
+    strcpy(str, "scp: ");
     vsprintf(str+strlen(str), fmt, ap);
     strcat(str, "\n");
     back->send(str, strlen(str));
@@ -751,7 +754,7 @@ static void rsource(char *src)
 /*
  *  Execute the sink part of the SCP protocol.
  */
-static void sink(char *targ)
+static void sink(char *targ, char *src)
 {
     char buf[2048];
     char namebuf[2048];
@@ -819,12 +822,23 @@ static void sink(char *targ)
 
        if (sscanf(buf+1, "%u %lu %[^\n]", &mode, &size, namebuf) != 3)
            bump("Protocol error: Illegal file descriptor format");
+       /* Security fix: ensure the file ends up where we asked for it. */
+       if (src) {
+           char *p = src + strlen(src);
+           while (p > src && p[-1] != '/' && p[-1] != '\\')
+               p--;
+           strcpy(namebuf, p);
+       }
        if (targisdir) {
            char t[2048];
+           char *p;
            strcpy(t, targ);
            if (targ[0] != '\0')
                strcat(t, "/");
-           strcat(t, namebuf);
+           p = namebuf + strlen(namebuf);
+           while (p > namebuf && p[-1] != '/' && p[-1] != '\\')
+               p--;
+           strcat(t, p);
            strcpy(namebuf, t);
        } else {
            strcpy(namebuf, targ);
@@ -844,7 +858,7 @@ static void sink(char *targ)
                    continue;
                }
            }
-           sink(namebuf);
+           sink(namebuf, NULL);
            /* can we set the timestamp for directories ? */
            continue;
        }
@@ -1057,7 +1071,7 @@ static void tolocal(int argc, char *argv[])
     do_cmd(host, user, cmd);
     sfree(cmd);
 
-    sink(targ);
+    sink(targ, src);
 }
 
 /*