mirrors_public/schollz_croc
0
0
Fork 0
mirror of https://github.com/schollz/croc.git synced 2025-10-11 13:21:00 +02:00
Code Activity

Merge pull request #811 from schollz:schollz/issue796

Browse source 
fix: check whether path separator + ..
This commit is contained in:
Zack 2024-09-17 06:39:31 -07:00 committed by GitHub
commit 9be175f1b0
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 10 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

11
src/croc/croc.go
View file

@ -1220,7 +1220,16 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error
for i, fi := range c.FilesToTransfer { for i, fi := range c.FilesToTransfer {
// Issues #593 - sanitize the sender paths and prevent ".." from being used // Issues #593 - sanitize the sender paths and prevent ".." from being used
c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote) c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote)
if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") { if strings.Contains(c.FilesToTransfer[i].FolderRemote, "../") {
return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
}
if strings.Contains(c.FilesToTransfer[i].FolderRemote, "/..") {
return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
}
if strings.Contains(c.FilesToTransfer[i].FolderRemote, "\\..") {
return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
}
if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..\\") {
return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
} }
// Issues #593 - disallow specific folders like .ssh // Issues #593 - disallow specific folders like .ssh