diff --git a/src/croc/croc.go b/src/croc/croc.go index 53601528..01019e1a 100644 --- a/src/croc/croc.go +++ b/src/croc/croc.go @@ -1244,18 +1244,6 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error for i, fi := range c.FilesToTransfer { // Issues #593 - sanitize the sender paths and prevent ".." from being used c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote) - if strings.Contains(c.FilesToTransfer[i].FolderRemote, "../") { - return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) - } - if strings.Contains(c.FilesToTransfer[i].FolderRemote, "/..") { - return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) - } - if strings.Contains(c.FilesToTransfer[i].FolderRemote, "\\..") { - return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) - } - if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..\\") { - return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) - } // Issues #593 - disallow specific folders like .ssh if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") { return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) diff --git a/src/utils/utils.go b/src/utils/utils.go index 58782d68..6c04b410 100644 --- a/src/utils/utils.go +++ b/src/utils/utils.go @@ -589,12 +589,8 @@ func ValidFileName(fname string) (err error) { return } } - // make sure basename does not include ".." or path separators + // make sure basename does not include path separators _, basename := filepath.Split(fname) - if strings.Contains(basename, "..") { - err = fmt.Errorf("basename cannot contain '..': '%s'", basename) - return - } if strings.Contains(basename, string(os.PathSeparator)) { err = fmt.Errorf("basename cannot contain path separators: '%s'", basename) return @@ -604,6 +600,10 @@ func ValidFileName(fname string) (err error) { err = fmt.Errorf("filename cannot be an absolute path: '%s'", fname) return } + if !filepath.IsLocal(fname) { + err = fmt.Errorf("filename must be a local path: '%s'", fname) + return + } return } diff --git a/src/utils/utils_test.go b/src/utils/utils_test.go index e7327210..aed77571 100644 --- a/src/utils/utils_test.go +++ b/src/utils/utils_test.go @@ -262,6 +262,19 @@ func TestValidFileName(t *testing.T) { err := ValidFileName("D中文.cslouglas​") assert.NotNil(t, err) assert.Equal(t, "non-graphical unicode: e2808b U+8203 in '44e4b8ade696872e63736c6f75676c6173e2808b'", err.Error()) - assert.NotNil(t, ValidFileName("hi..txt")) + // contains "..", but not next to a path separator + assert.Nil(t, ValidFileName("hi..txt")) + // contains "..", but only next to a path separator on one side + assert.Nil(t, ValidFileName("rel"+string(os.PathSeparator)+"..txt")) + assert.Nil(t, ValidFileName("rel.."+string(os.PathSeparator)+"txt")) + // contains ".." between two path separators, but does not break out of the base directory + assert.Nil(t, ValidFileName("hi"+string(os.PathSeparator)+".."+string(os.PathSeparator)+"txt")) + // contains ".." between two path separators, and breaks out of the base directory + assert.NotNil(t, ValidFileName("hi"+string(os.PathSeparator)+".."+string(os.PathSeparator)+".."+string(os.PathSeparator)+"txt")) + // contains ".." between a path separator and the beginning or end of the path + assert.NotNil(t, ValidFileName(".."+string(os.PathSeparator)+"hi.txt")) + assert.NotNil(t, ValidFileName("hi"+string(os.PathSeparator)+"..")) + assert.NotNil(t, ValidFileName("..")) + // is an absolute path assert.NotNil(t, ValidFileName(path.Join(string(os.PathSeparator), "abs", string(os.PathSeparator), "hi.txt"))) }