jrische / rpms / krb5

Forked from rpms/krb5 2 years ago
Clone
1f9df2b
Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp.
1f9df2b
1f9df2b
diff -up krb5-1.7/src/appl/bsd/krcp.c krb5-1.7/src/appl/bsd/krcp.c
1f9df2b
--- krb5-1.7/src/appl/bsd/krcp.c	2009-06-04 14:27:20.000000000 -0400
1f9df2b
+++ krb5-1.7/src/appl/bsd/krcp.c	2009-06-04 14:27:20.000000000 -0400
1f9df2b
@@ -1038,6 +1038,10 @@ void sink(argc, argv)
1f9df2b
 	  size = size * 10 + (*cp++ - '0');
1f9df2b
 	if (*cp++ != ' ')
1f9df2b
 	  SCREWUP("size not delimited");
1f9df2b
+	if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
1f9df2b
+	  error("error: unexpected filename: %s", cp);
1f9df2b
+	  exit(1);
1f9df2b
+	}
1f9df2b
 	if (targisdir) {
1f9df2b
           if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))
1f9df2b
 	    SCREWUP("target name too long");
1f9df2b
@@ -1051,6 +1055,8 @@ void sink(argc, argv)
1f9df2b
 	nambuf[sizeof(nambuf) - 1] = '\0';
1f9df2b
 	exists = stat(nambuf, &stb) == 0;
1f9df2b
 	if (cmdbuf[0] == 'D') {
1f9df2b
+	    if (!iamrecursive)
1f9df2b
+		SCREWUP("received directory without -r");
1f9df2b
 	    if (exists) {
1f9df2b
 		if ((stb.st_mode&S_IFMT) != S_IFDIR) {
1f9df2b
 		    errno = ENOTDIR;