X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/b614ce8958c574805009abc2335a7cbdde728b24..e9d14678a9f84b52aee758c6ab81dd10f25ef825:/psftp.c

diff --git a/psftp.c b/psftp.c
index b1cfe16d..1612b3b2 100644
--- a/psftp.c
+++ b/psftp.c
@@ -41,14 +41,6 @@ static Config cfg;
  */
 
 /*
- * Determine whether a string is entirely composed of dots.
- */
-static int is_dots(char *str)
-{
-    return str[strspn(str, ".")] == '\0';
-}
-
-/*
  * Attempt to canonify a pathname starting from the pwd. If
  * canonification fails, at least fall back to returning a _valid_
  * pathname (though it may be ugly, eg /home/simon/../foobar).
@@ -291,10 +283,19 @@ int sftp_get_file(char *fname, char *outfname, int recurse, int restart,
 		    ournames = sresize(ournames, namesize, struct fxp_name *);
 		}
 		for (i = 0; i < names->nnames; i++)
-		    if (!is_dots(names->names[i].filename) &&
+		    if (strcmp(names->names[i].filename, ".") &&
+			strcmp(names->names[i].filename, "..") &&
 			(!wildcard || wc_match(wildcard,
-					       names->names[i].filename)))
-			ournames[nnames++] = fxp_dup_name(&names->names[i]);
+					       names->names[i].filename))) {
+			if (!vet_filename(names->names[i].filename)) {
+			    printf("ignoring potentially dangerous server-"
+				   "supplied filename '%s'\n",
+				   names->names[i].filename);
+			} else {
+			    ournames[nnames++] =
+				fxp_dup_name(&names->names[i]);
+			}
+		    }
 		fxp_free_names(names);
 	    }
 	    sftp_register(req = fxp_close_send(dirhandle));