mirrors_public/schollz_croc
1
1
Fork 0
mirror of https://github.com/schollz/croc.git synced 2025-10-10 21:01:02 +02:00
Code Activity

fix: filter escape sequences in filenames

Browse source
This commit is contained in:
Zack 2024-05-20 08:38:36 -07:00
parent b05c3c8c42
commit a591833dbf
2 changed files with 19 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/croc/croc.go
View file

@ -1102,7 +1102,11 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error
if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") { if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") {
return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote) return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
} }
// Issue #595 - disallow filenames with anything but 0-9a-zA-Z.-_. and / characters
if !utils.ValidFileName(path.Join(c.FilesToTransfer[i].FolderRemote, fi.Name)) {
return true, fmt.Errorf("invalid filename detected: '%s'", fi.Name)
}
} }
c.TotalNumberOfContents = 0 c.TotalNumberOfContents = 0
if c.FilesToTransfer != nil { if c.FilesToTransfer != nil {

15
src/utils/utils.go
View file

@ -473,3 +473,18 @@ func UnzipDirectory(destination string, source string) error {
fmt.Fprintf(os.Stderr, "\n") fmt.Fprintf(os.Stderr, "\n")
return nil return nil
} }
// ValidFileName checks if a filename is valid
// and returns true only if it all of the characters are either
// 0-9, a-z, A-Z, ., _, -, space, or /
func ValidFileName(fname string) bool {
for _, r := range fname {
if !((r >= '0' && r <= '9') ||
(r >= 'a' && r <= 'z') ||
(r >= 'A' && r <= 'Z') ||
r == '.' || r == '_' || r == '-' || r == ' ' || r == '/') {
return false
}
}
return true
}