mirror of
https://github.com/schollz/croc.git
synced 2025-10-11 05:11:06 +02:00
Merge pull request #697 from schollz/issue593
fix: client quits when discovering dangerous paths
This commit is contained in:
commit
3f12f75fae
2 changed files with 37 additions and 0 deletions
|
@ -1092,6 +1092,22 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error
|
|||
c.EmptyFoldersToTransfer = senderInfo.EmptyFoldersToTransfer
|
||||
c.TotalNumberFolders = senderInfo.TotalNumberFolders
|
||||
c.FilesToTransfer = senderInfo.FilesToTransfer
|
||||
for i, fi := range c.FilesToTransfer {
|
||||
// Issues #593 - sanitize the sender paths and prevent ".." from being used
|
||||
c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote)
|
||||
if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") {
|
||||
return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
|
||||
}
|
||||
// Issues #593 - disallow specific folders like .ssh
|
||||
if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") {
|
||||
return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
|
||||
}
|
||||
// Issue #595 - disallow filenames with anything but 0-9a-zA-Z.-_. and / characters
|
||||
|
||||
if !utils.ValidFileName(path.Join(c.FilesToTransfer[i].FolderRemote, fi.Name)) {
|
||||
return true, fmt.Errorf("invalid filename detected: '%s'", fi.Name)
|
||||
}
|
||||
}
|
||||
c.TotalNumberOfContents = 0
|
||||
if c.FilesToTransfer != nil {
|
||||
c.TotalNumberOfContents += len(c.FilesToTransfer)
|
||||
|
|
|
@ -438,6 +438,12 @@ func UnzipDirectory(destination string, source string) error {
|
|||
filePath := filepath.Join(destination, f.Name)
|
||||
fmt.Fprintf(os.Stderr, "\r\033[2K")
|
||||
fmt.Fprintf(os.Stderr, "\rUnzipping file %s", filePath)
|
||||
// Issue #593 conceal path traversal vulnerability
|
||||
// make sure the filepath does not have ".."
|
||||
filePath = filepath.Clean(filePath)
|
||||
if strings.Contains(filePath, "..") {
|
||||
log.Fatalf("Invalid file path %s\n", filePath)
|
||||
}
|
||||
if f.FileInfo().IsDir() {
|
||||
os.MkdirAll(filePath, os.ModePerm)
|
||||
continue
|
||||
|
@ -467,3 +473,18 @@ func UnzipDirectory(destination string, source string) error {
|
|||
fmt.Fprintf(os.Stderr, "\n")
|
||||
return nil
|
||||
}
|
||||
|
||||
// ValidFileName checks if a filename is valid
|
||||
// and returns true only if it all of the characters are either
|
||||
// 0-9, a-z, A-Z, ., _, -, space, or /
|
||||
func ValidFileName(fname string) bool {
|
||||
for _, r := range fname {
|
||||
if !((r >= '0' && r <= '9') ||
|
||||
(r >= 'a' && r <= 'z') ||
|
||||
(r >= 'A' && r <= 'Z') ||
|
||||
r == '.' || r == '_' || r == '-' || r == ' ' || r == '/') {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue