From ca2d59436752b1d46a12d4d4fabd366fac81b0ca Mon Sep 17 00:00:00 2001 From: simon Date: Sat, 21 Oct 2000 17:52:54 +0000 Subject: [PATCH] Ooh. Actually, that vulnerability is further-reaching than I thought. As well as the ".." attack in recursive copies, the name sent by the client was also trusted in a single-file implicit- destination copy such as "pscp host:foo .". (The result was ./foo, where foo is what the server claimed the file was rather than what the user asked for. I think it's not unreasonable that if the user requests file `foo' from the host, he should get the result in a file called `foo' no matter what the host thinks.) git-svn-id: svn://svn.tartarus.org/sgt/putty@743 cda61777-01e9-0310-a592-d414129be87e --- scp.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/scp.c b/scp.c index 55fc3f3d..401d444c 100644 --- a/scp.c +++ b/scp.c @@ -65,7 +65,7 @@ static char *gui_hwnd = NULL; static void source(char *src); static void rsource(char *src); -static void sink(char *targ); +static void sink(char *targ, char *src); /* GUI Adaptation - Sept 2000 */ static void tell_char(FILE *stream, char c); static void tell_str(FILE *stream, char *str); @@ -754,7 +754,7 @@ static void rsource(char *src) /* * Execute the sink part of the SCP protocol. */ -static void sink(char *targ) +static void sink(char *targ, char *src) { char buf[2048]; char namebuf[2048]; @@ -822,6 +822,13 @@ static void sink(char *targ) if (sscanf(buf+1, "%u %lu %[^\n]", &mode, &size, namebuf) != 3) bump("Protocol error: Illegal file descriptor format"); + /* Security fix: ensure the file ends up where we asked for it. */ + if (src) { + char *p = src + strlen(src); + while (p > src && p[-1] != '/' && p[-1] != '\\') + p--; + strcpy(namebuf, p); + } if (targisdir) { char t[2048]; char *p; @@ -851,7 +858,7 @@ static void sink(char *targ) continue; } } - sink(namebuf); + sink(namebuf, NULL); /* can we set the timestamp for directories ? */ continue; } @@ -1064,7 +1071,7 @@ static void tolocal(int argc, char *argv[]) do_cmd(host, user, cmd); sfree(cmd); - sink(targ); + sink(targ, src); } /* -- 2.11.0