Receiver now rejects invalid filenames in filelist.

If the receiver gets a filename with a leading slash (w/o --relative)
and/or a filename with an embedded ".." dir in the path, it dies with
an error (rather than continuing). Those invalid paths should never
happen in reality, so just reject someone trying to pull a fast one.

1 files changed, 8 insertions, 6 deletions

diff --git a/flist.c b/flist.c
index a0f05dd0..74c07564 100644
--- a/flist.c
+++ b/flist.c
@@ -736,8 +736,11 @@ static struct file_struct *recv_file_entry(int f, struct file_list *flist, int x
 	}
 #endif
 
-	if (*thisname)
-		clean_fname(thisname, 0);
+	if (*thisname
+	 && (clean_fname(thisname, CFN_REFUSE_DOT_DOT_DIRS) < 0 || (!relative_paths && *thisname == '/'))) {
+		rprintf(FERROR, "ABORTING due to unsafe pathname from sender: %s\n", thisname);
+		exit_cleanup(RERR_PROTOCOL);
+	}
 
 	if (sanitize_paths)
 		sanitize_path(thisname, thisname, "", 0, SP_DEFAULT);
@@ -2554,10 +2557,9 @@ struct file_list *recv_file_list(int f)
 	}
 
 	/* The --relative option sends paths with a leading slash, so we need
-	 * to specify the strip_root option here.  We also want to ensure that
-	 * a non-relative transfer doesn't have any leading slashes or it might
-	 * cause the client a security issue. */
-	flist_sort_and_clean(flist, 1);
+	 * to specify the strip_root option here.  We rejected leading slashes
+	 * for a non-relative transfer in recv_file_entry(). */
+	flist_sort_and_clean(flist, relative_paths);
 
 	if (protocol_version < 30) {
 		/* Recv the io_error flag */