- markus@cvs.openbsd.org 2004/04/01 12:19:57

     [scp.c]
     limit trust between local and remote rcp/scp process,
     noticed by lcamtuf; ok deraadt@, djm@

1 files changed, 9 insertions, 1 deletions

diff --git a/scp.c b/scp.c
index 1daa2ccf7..8621a4409 100644
--- a/scp.c
+++ b/scp.c
@@ -71,7 +71,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: scp.c,v 1.113 2003/11/23 23:21:21 djm Exp $");
+RCSID("$OpenBSD: scp.c,v 1.114 2004/04/01 12:19:57 markus Exp $");
 
 #include "xmalloc.h"
 #include "atomicio.h"
@@ -759,6 +759,8 @@ sink(int argc, char **argv)
                         *cp++ = ch;
                 } while (cp < &buf[sizeof(buf) - 1] && ch != '\n');
                 *cp = 0;
+                if (verbose_mode)
+                        fprintf(stderr, "Sink: %s", buf);
 
                 if (buf[0] == '\01' || buf[0] == '\02') {
                         if (iamremote == 0)
@@ -822,6 +824,10 @@ sink(int argc, char **argv)
                         size = size * 10 + (*cp++ - '0');
                 if (*cp++ != ' ')
                         SCREWUP("size not delimited");
+                if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+                        run_err("error: unexpected filename: %s", cp);
+                        exit(1);
+                }
                 if (targisdir) {
                         static char *namebuf;
                         static int cursize;
@@ -843,6 +849,8 @@ sink(int argc, char **argv)
                 exists = stat(np, &stb) == 0;
                 if (buf[0] == 'D') {
                         int mod_flag = pflag;
+                        if (!iamrecursive)
+                                SCREWUP("received directory without -r");
                         if (exists) {
                                 if (!S_ISDIR(stb.st_mode)) {
                                         errno = ENOTDIR;