From b3dcd9b2e83d61b9441c95ccfb784ed718173244 Mon Sep 17 00:00:00 2001
From: simon <simon@cda61777-01e9-0310-a592-d414129be87e>
Date: Tue, 28 Aug 2001 12:26:16 +0000
Subject: [PATCH] stripslashes() should have been dealing with colons as well.
 I don't _think_ there was an exploit (even if the server sends "c:foobar",
 the client will not attempt to create "c:foobar"; instead it will try to
 create ".\c:foobar" which will fail), but it's as well to be sure.

git-svn-id: svn://svn.tartarus.org/sgt/putty@1223 cda61777-01e9-0310-a592-d414129be87e
---
 scp.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/scp.c b/scp.c
index 250e229a..b741092d 100644
--- a/scp.c
+++ b/scp.c
@@ -686,12 +686,17 @@ static char *colon(char *str)
 
 /*
  * Return a pointer to the portion of str that comes after the last
- * slash (or backslash, if `local' is TRUE).
+ * slash (or backslash or colon, if `local' is TRUE).
  */
 static char *stripslashes(char *str, int local)
 {
     char *p;
 
+    if (local) {
+        p = strchr(str, ':');
+        if (p) str = p+1;
+    }
+
     p = strrchr(str, '/');
     if (p) str = p+1;
 
@@ -1722,9 +1727,10 @@ static void sink(char *targ, char *src)
 	     * Prevent the remote side from maliciously writing to
 	     * files outside the target area by sending a filename
 	     * containing `../'. In fact, it shouldn't be sending
-	     * filenames with any slashes in at all; so we'll find
-	     * the last slash or backslash in the filename and use
-	     * only the part after that. (And warn!)
+	     * filenames with any slashes or colons in at all; so
+	     * we'll find the last slash, backslash or colon in the
+	     * filename and use only the part after that. (And
+	     * warn!)
 	     * 
 	     * In addition, we also ensure here that if we're
 	     * copying a single file and the target is a directory
@@ -1752,7 +1758,9 @@ static void sink(char *targ, char *src)
 	    striptarget = stripslashes(act.name, 1);
 	    if (striptarget != act.name) {
 		tell_user(stderr, "warning: remote host sent a compound"
-			  " pathname - possibly malicious! (ignored)");
+			  " pathname '%s'", act.name);
+		tell_user(stderr, "         renaming local file to '%s'",
+                          striptarget);
 	    }
 
 	    /*
@@ -1956,13 +1964,6 @@ static void toremote(int argc, char *argv[])
 	 */
 	srcpath = dupstr(src);
 	last = stripslashes(srcpath, 1);
-	if (last == srcpath) {
-	    last = strchr(srcpath, ':');
-	    if (last)
-		last++;
-	    else
-		last = srcpath;
-	}
 	*last = '\0';
 
 	dir = FindFirstFile(src, &fdat);
-- 
2.11.0