# HG changeset patch # User masneyb # Date 1106099808 0 # Node ID 8ff1c1647b95a07e0f92b4f2c35646382b04951b # Parent ee326bacf8aa1710ce7766bbc3a6a9890ef16e6e 2005-1-18 Brian Masney * lib/protocols.c (gftp_get_next_file) - if the remote server sends a path with the filename, then strip the path off of the filename. If the path didn't match the current directory, then give the user a warning. A malicious server could change the path of the downloaded by adding /../ to the path diff -r ee326bacf8aa -r 8ff1c1647b95 ChangeLog --- a/ChangeLog Mon Jan 17 20:58:21 2005 +0000 +++ b/ChangeLog Wed Jan 19 01:56:48 2005 +0000 @@ -1,3 +1,10 @@ +2005-1-18 Brian Masney + * lib/protocols.c (gftp_get_next_file) - if the remote server sends a + path with the filename, then strip the path off of the filename. If the + path didn't match the current directory, then give the user a warning. + A malicious server could change the path of the downloaded by adding + /../ to the path + 2005-1-16 Brian Masney * configure.in lib/Makefile.am src/gtk/Makefile.am src/text/Makefile.am lib/fsp.c - added FSP to the build system @@ -3224,7 +3231,7 @@ * cvsclean - added this script - * *.[ch] - added $Id: ChangeLog,v 1.393 2005/01/16 16:15:04 masneyb Exp $ tags + * *.[ch] - added $Id: ChangeLog,v 1.394 2005/01/19 01:56:48 masneyb Exp $ tags * debian/* - updated files from Debian maintainer diff -r ee326bacf8aa -r 8ff1c1647b95 lib/protocols.c --- a/lib/protocols.c Mon Jan 17 20:58:21 2005 +0000 +++ b/lib/protocols.c Wed Jan 19 01:56:48 2005 +0000 @@ -595,6 +595,7 @@ gftp_get_next_file (gftp_request * request, const char *filespec, gftp_file * fle) { + char *slashpos, *newfile; int fd, ret; g_return_val_if_fail (request != NULL, GFTP_EFATAL); @@ -612,6 +613,26 @@ { gftp_file_destroy (fle, 0); ret = request->get_next_file (request, fle, fd); + if (fle->file != NULL && (slashpos = strrchr (fle->file, '/')) != NULL) + { + if (*(slashpos + 1) == '\0') + { + gftp_file_destroy (fle, 0); + continue; + } + + *slashpos = '\0'; + newfile = g_strdup (slashpos + 1); + + if (strcmp (fle->file, request->directory) != 0) + request->logging_function (gftp_logging_error, request, + _("Warning: Stripping path off of file '%s'. The stripped path (%s) doesn't match the current directory (%s)\n"), + newfile, fle->file, request->directory, + g_strerror (errno)); + + g_free (fle->file); + fle->file = newfile; + } if (ret >= 0 && fle->file != NULL) fle->utf8_file = gftp_string_to_utf8 (request, fle->file);