Fix a potential vulnerability in incoming `pscp -r'. The server

sends filenames of things in the directory being copied. A malicious
server could have sent, for example, "..\..\windows\system\foo.dll"
and overwritten something crucial. The filenames are now vetted to
ensure they don't contain slashes or backslashes.

git-svn-id: svn://svn.tartarus.org/sgt/putty@742 cda61777-01e9-0310-a592-d414129be87e

diff --git a/scp.c b/scp.c
index 3c3369f..55fc3f3 100644 (file)
--- a/scp.c
+++ b/scp.c
@@ -582,7 +582,7 @@ static void run_err(const char *fmt, ...)
     va_list ap;
     va_start(ap, fmt);
     errs++;
-    strcpy(str, "\01scp: ");
+    strcpy(str, "scp: ");
     vsprintf(str+strlen(str), fmt, ap);
     strcat(str, "\n");
     back->send(str, strlen(str));
@@ -824,10 +824,14 @@ static void sink(char *targ)
            bump("Protocol error: Illegal file descriptor format");
        if (targisdir) {
            char t[2048];
+           char *p;
            strcpy(t, targ);
            if (targ[0] != '\0')
                strcat(t, "/");
-           strcat(t, namebuf);
+           p = namebuf + strlen(namebuf);
+           while (p > namebuf && p[-1] != '/' && p[-1] != '\\')
+               p--;
+           strcat(t, p);
            strcpy(namebuf, t);
        } else {
            strcpy(namebuf, targ);