Merge pull request #952 from paulmiro/main

fix: only block ".." in file names if it is used to break out of the base directory
2025-10-10 21:01:02 +02:00 · 2025-08-12 10:13:49 -07:00 · 2025-08-12 10:13:49 -07:00 · aaa39f9c20
commit aaa39f9c20
parent 69889201ee 33667839c6
3 changed files with 19 additions and 18 deletions
--- a/src/croc/croc.go
+++ b/src/croc/croc.go
@ -1244,18 +1244,6 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error
 	for i, fi := range c.FilesToTransfer {
 		// Issues #593 - sanitize the sender paths and prevent ".." from being used
 		c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote)
-		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "../") {
-			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
-		}
-		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "/..") {
-			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
-		}
-		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "\\..") {
-			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
-		}
-		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..\\") {
-			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
-		}
 		// Issues #593 - disallow specific folders like .ssh
 		if strings.Contains(c.FilesToTransfer[i].FolderRemote, ".ssh") {
 			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
--- a/src/utils/utils.go
+++ b/src/utils/utils.go
@ -589,12 +589,8 @@ func ValidFileName(fname string) (err error) {
 			return
 		}
 	}
-	// make sure basename does not include ".." or path separators
+	// make sure basename does not include path separators
 	_, basename := filepath.Split(fname)
-	if strings.Contains(basename, "..") {
-		err = fmt.Errorf("basename cannot contain '..': '%s'", basename)
-		return
-	}
 	if strings.Contains(basename, string(os.PathSeparator)) {
 		err = fmt.Errorf("basename cannot contain path separators: '%s'", basename)
 		return
@ -604,6 +600,10 @@ func ValidFileName(fname string) (err error) {
 		err = fmt.Errorf("filename cannot be an absolute path: '%s'", fname)
 		return
 	}
+	if !filepath.IsLocal(fname) {
+		err = fmt.Errorf("filename must be a local path: '%s'", fname)
+		return
+	}
 	return
 }

--- a/src/utils/utils_test.go
+++ b/src/utils/utils_test.go
@ -262,6 +262,19 @@ func TestValidFileName(t *testing.T) {
 	err := ValidFileName("D中文.cslouglas")
 	assert.NotNil(t, err)
 	assert.Equal(t, "non-graphical unicode: e2808b U+8203 in '44e4b8ade696872e63736c6f75676c6173e2808b'", err.Error())
-	assert.NotNil(t, ValidFileName("hi..txt"))
+	// contains "..", but not next to a path separator
+	assert.Nil(t, ValidFileName("hi..txt"))
+	// contains "..", but only next to a path separator on one side
+	assert.Nil(t, ValidFileName("rel"+string(os.PathSeparator)+"..txt"))
+	assert.Nil(t, ValidFileName("rel.."+string(os.PathSeparator)+"txt"))
+	// contains ".." between two path separators, but does not break out of the base directory
+	assert.Nil(t, ValidFileName("hi"+string(os.PathSeparator)+".."+string(os.PathSeparator)+"txt"))
+	// contains ".." between two path separators, and breaks out of the base directory
+	assert.NotNil(t, ValidFileName("hi"+string(os.PathSeparator)+".."+string(os.PathSeparator)+".."+string(os.PathSeparator)+"txt"))
+	// contains ".." between a path separator and the beginning or end of the path
+	assert.NotNil(t, ValidFileName(".."+string(os.PathSeparator)+"hi.txt"))
+	assert.NotNil(t, ValidFileName("hi"+string(os.PathSeparator)+".."+string(os.PathSeparator)+".."+string(os.PathSeparator)+"hi.txt"))
+	assert.NotNil(t, ValidFileName(".."))
+	// is an absolute path
 	assert.NotNil(t, ValidFileName(path.Join(string(os.PathSeparator), "abs", string(os.PathSeparator), "hi.txt")))
 }