diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2004-04-01 12:19:58 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2004-04-01 12:19:58 +0000 |
| commit | f426f17e726d31ab6ffaad429ddc90b7d1fd0a14 (patch) | |
| tree | 9d4a1bc367a309b19b146d45523e72a7262aff3b | |
| parent | 49d666407d95d39d44f5cb48315961c632c15367 (diff) | |
limit trust between local and remote rcp/scp process,
noticed by lcamtuf; ok deraadt@, djm@
| -rw-r--r-- | bin/rcp/rcp.c | 10 | ||||
| -rw-r--r-- | usr.bin/ssh/scp.c | 10 |
2 files changed, 17 insertions, 3 deletions
diff --git a/bin/rcp/rcp.c b/bin/rcp/rcp.c index 7b76a268a31..9d23e6e61b6 100644 --- a/bin/rcp/rcp.c +++ b/bin/rcp/rcp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rcp.c,v 1.38 2003/07/29 00:24:16 deraadt Exp $ */ +/* $OpenBSD: rcp.c,v 1.39 2004/04/01 12:19:57 markus Exp $ */ /* $NetBSD: rcp.c,v 1.9 1995/03/21 08:19:06 cgd Exp $ */ /* @@ -40,7 +40,7 @@ static char copyright[] = #if 0 static char sccsid[] = "@(#)rcp.c 8.2 (Berkeley) 4/2/94"; #else -static const char rcsid[] = "$OpenBSD: rcp.c,v 1.38 2003/07/29 00:24:16 deraadt Exp $"; +static const char rcsid[] = "$OpenBSD: rcp.c,v 1.39 2004/04/01 12:19:57 markus Exp $"; #endif #endif /* not lint */ @@ -637,6 +637,10 @@ sink(int argc, char *argv[]) size = size * 10 + (*cp++ - '0'); if (*cp++ != ' ') SCREWUP("size not delimited"); + if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { + run_err("error: unexpected filename: %s", cp); + exit(1); + } if (targisdir) { static char *namebuf; static int cursize; @@ -655,6 +659,8 @@ sink(int argc, char *argv[]) exists = stat(np, &stb) == 0; if (buf[0] == 'D') { int mod_flag = pflag; + if (!iamrecursive) + SCREWUP("received directory without -r"); if (exists) { if (!S_ISDIR(stb.st_mode)) { errno = ENOTDIR; diff --git a/usr.bin/ssh/scp.c b/usr.bin/ssh/scp.c index cb1da7d1f98..e330bbb937e 100644 --- a/usr.bin/ssh/scp.c +++ b/usr.bin/ssh/scp.c @@ -71,7 +71,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: scp.c,v 1.113 2003/11/23 23:21:21 djm Exp $"); +RCSID("$OpenBSD: scp.c,v 1.114 2004/04/01 12:19:57 markus Exp $"); #include "xmalloc.h" #include "atomicio.h" @@ -750,6 +750,8 @@ sink(int argc, char **argv) *cp++ = ch; } while (cp < &buf[sizeof(buf) - 1] && ch != '\n'); *cp = 0; + if (verbose_mode) + fprintf(stderr, "Sink: %s", buf); if (buf[0] == '\01' || buf[0] == '\02') { if (iamremote == 0) @@ -813,6 +815,10 @@ sink(int argc, char **argv) size = size * 10 + (*cp++ - '0'); if (*cp++ != ' ') SCREWUP("size not delimited"); + if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { + run_err("error: unexpected filename: %s", cp); + exit(1); + } if (targisdir) { static char *namebuf; static int cursize; @@ -834,6 +840,8 @@ sink(int argc, char **argv) exists = stat(np, &stb) == 0; if (buf[0] == 'D') { int mod_flag = pflag; + if (!iamrecursive) + SCREWUP("received directory without -r"); if (exists) { if (!S_ISDIR(stb.st_mode)) { errno = ENOTDIR; |