diff options
author | Wayne Davison <wayned@samba.org> | 2014-04-13 10:36:59 -0700 |
---|---|---|
committer | Wayne Davison <wayned@samba.org> | 2014-04-13 10:36:59 -0700 |
commit | 4cad402ea8a91031f86c53961d78bb7f4f174790 (patch) | |
tree | 29e436490513b653309b15c802c3cb333e80f4aa /flist.c | |
parent | 306d1127304f680d23d49847929725e549ded985 (diff) | |
download | android_external_rsync-4cad402ea8a91031f86c53961d78bb7f4f174790.tar.gz android_external_rsync-4cad402ea8a91031f86c53961d78bb7f4f174790.tar.bz2 android_external_rsync-4cad402ea8a91031f86c53961d78bb7f4f174790.zip |
Receiver now rejects invalid filenames in filelist.
If the receiver gets a filename with a leading slash (w/o --relative)
and/or a filename with an embedded ".." dir in the path, it dies with
an error (rather than continuing). Those invalid paths should never
happen in reality, so just reject someone trying to pull a fast one.
Diffstat (limited to 'flist.c')
-rw-r--r-- | flist.c | 14 |
1 files changed, 8 insertions, 6 deletions
@@ -736,8 +736,11 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x } #endif - if (*thisname) - clean_fname(thisname, 0); + if (*thisname + && (clean_fname(thisname, CFN_REFUSE_DOT_DOT_DIRS) < 0 || (!relative_paths && *thisname == '/'))) { + rprintf(FERROR, "ABORTING due to unsafe pathname from sender: %s\n", thisname); + exit_cleanup(RERR_PROTOCOL); + } if (sanitize_paths) sanitize_path(thisname, thisname, "", 0, SP_DEFAULT); @@ -2554,10 +2557,9 @@ struct file_list *recv_file_list(int f) } /* The --relative option sends paths with a leading slash, so we need - * to specify the strip_root option here. We also want to ensure that - * a non-relative transfer doesn't have any leading slashes or it might - * cause the client a security issue. */ - flist_sort_and_clean(flist, 1); + * to specify the strip_root option here. We rejected leading slashes + * for a non-relative transfer in recv_file_entry(). */ + flist_sort_and_clean(flist, relative_paths); if (protocol_version < 30) { /* Recv the io_error flag */ |