fix: check whether path separator + ..

2025-10-11 05:11:06 +02:00 · 2024-09-17 06:39:04 -07:00 · 2024-09-17 06:39:04 -07:00 · 8c4594ad31
commit 8c4594ad31
parent 519ce8c669
1 changed files with 10 additions and 1 deletions
--- a/src/croc/croc.go
+++ b/src/croc/croc.go
@ -1220,7 +1220,16 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error
 	for i, fi := range c.FilesToTransfer {
 		// Issues #593 - sanitize the sender paths and prevent ".." from being used
 		c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote)
-		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") {
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "../") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "/..") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "\\..") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..\\") {
 			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
 		}
 		// Issues #593 - disallow specific folders like .ssh