krb5/krb5-1.3.3-rcp-markus.patch
Nalin Dahyabhai 73316152b6 - fix double-close in keytab handling
- add port of fixes for CAN-2004-0175 to krb5-aware rcp
2005-06-24 20:28:25 +00:00

47 lines
1.6 KiB
Diff

Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp.
--- krb5-1.3.3/src/appl/bsd/krcp.c 2003-05-12 18:20:15.000000000 -0400
+++ krb5-1.3.3/src/appl/bsd/krcp.c 2004-04-13 12:01:31.000000000 -0400
@@ -1088,6 +1088,10 @@
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ error("error: unexpected filename: %s", cp);
+ exit(1);
+ }
if (targisdir) {
if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))
SCREWUP("target name too long");
@@ -1101,6 +1105,8 @@
nambuf[sizeof(nambuf) - 1] = '\0';
exists = stat(nambuf, &stb) == 0;
if (cmdbuf[0] == 'D') {
+ if (!iamrecursive)
+ SCREWUP("received directory without -r");
if (exists) {
if ((stb.st_mode&S_IFMT) != S_IFDIR) {
errno = ENOTDIR;
--- krb5-1.3.3/src/appl/bsd/v4rcp.c 2002-07-12 16:21:31.000000000 -0400
+++ krb5-1.3.3/src/appl/bsd/v4rcp.c 2004-04-13 12:01:53.000000000 -0400
@@ -801,6 +801,10 @@
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ error("error: unexpected filename: %s", cp);
+ exit(1);
+ }
if (targisdir) {
if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) {
(void) sprintf(nambuf, "%s%s%s", targ,
@@ -817,6 +821,8 @@
nambuf[sizeof(nambuf)-1] = '\0';
exists = stat(nambuf, &stb) == 0;
if (cmdbuf[0] == 'D') {
+ if (!iamrecursive)
+ SCREWUP("received directory without -r");
if (exists) {
if ((stb.st_mode&S_IFMT) != S_IFDIR) {
errno = ENOTDIR;