From 9520eba82befd328430269d889959f320bed46d5 Mon Sep 17 00:00:00 2001
From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Sat, 21 Oct 2000 17:36:44 +0000
Subject: [PATCH] Fix a potential vulnerability in incoming `pscp -r'. The
 server sends filenames of things in the directory being copied. A malicious
 server could have sent, for example, "..\..\windows\system\foo.dll" and
 overwritten something crucial. The filenames are now vetted to ensure they
 don't contain slashes or backslashes.

git-svn-id: svn://svn.tartarus.org/sgt/putty@742 cda61777-01e9-0310-a592-d414129be87e
---
 scp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/scp.c b/scp.c
index 3c3369fe..55fc3f3d 100644
--- a/scp.c
+++ b/scp.c
@@ -582,7 +582,7 @@ static void run_err(const char *fmt, ...)
     va_list ap;
     va_start(ap, fmt);
     errs++;
-    strcpy(str, "\01scp: ");
+    strcpy(str, "scp: ");
     vsprintf(str+strlen(str), fmt, ap);
     strcat(str, "\n");
     back->send(str, strlen(str));
@@ -824,10 +824,14 @@ static void sink(char *targ)
 	    bump("Protocol error: Illegal file descriptor format");
 	if (targisdir) {
 	    char t[2048];
+	    char *p;
 	    strcpy(t, targ);
 	    if (targ[0] != '\0')
 		strcat(t, "/");
-	    strcat(t, namebuf);
+	    p = namebuf + strlen(namebuf);
+	    while (p > namebuf && p[-1] != '/' && p[-1] != '\\')
+		p--;
+	    strcat(t, p);
 	    strcpy(namebuf, t);
 	} else {
 	    strcpy(namebuf, targ);
-- 
2.11.0