extern int verbose;
extern int rsync_port;
char *auth_user;
+int sanitize_paths = 0;
int start_socket_client(char *host, char *path, int argc, char *argv[])
{
io_printf(fd,"@ERROR: chdir failed\n");
return -1;
}
+ sanitize_paths = 1;
}
if (am_root) {
request = strdup(p);
start_glob++;
}
- glob_expand(name, argv, &argc, MAX_ARGS, !use_chroot);
+ glob_expand(name, argv, &argc, MAX_ARGS);
} else {
argc++;
}
}
}
- if (!use_chroot) {
+ if (sanitize_paths) {
/*
* Note that this is applied to all parameters, whether or not
* they are filenames, but no other legal parameters contain
* and which aren't.
*/
for (i = 1; i < argc; i++) {
- sanitize_path(argv[i]);
+ sanitize_path(argv[i], NULL);
}
}
extern int copy_unsafe_links;
extern int remote_version;
extern int io_error;
+extern int sanitize_paths;
static char topsrcname[MAXPATHLEN];
clean_fname(thisname);
+ if (sanitize_paths) {
+ sanitize_path(thisname, NULL);
+ }
+
if ((p = strrchr(thisname,'/'))) {
static char *lastdir;
*p = 0;
file->link = (char *)malloc(l+1);
if (!file->link) out_of_memory("receive_file_entry 2");
read_sbuf(f,file->link,l);
+ if (sanitize_paths) {
+ sanitize_path(file->link, file->dirname);
+ }
}
#if SUPPORT_HARD_LINKS
strlcpy(cleaned_name, fname, MAXPATHLEN);
cleaned_name[MAXPATHLEN-1] = 0;
clean_fname(cleaned_name);
+ if (sanitize_paths) {
+ sanitize_path(cleaned_name, NULL);
+ }
fname = cleaned_name;
memset(sum,0,SUM_LENGTH);
}
-static void glob_expand_one(char *s, char **argv, int *argc, int maxargs, int sanitize_paths)
+static void glob_expand_one(char *s, char **argv, int *argc, int maxargs)
{
#if !(defined(HAVE_GLOB) && defined(HAVE_GLOB_H))
if (!*s) s = ".";
(*argc)++;
return;
#else
+ extern int sanitize_paths;
glob_t globbuf;
int i;
if (!*s) s = ".";
- s = strdup(s);
- sanitize_path(s);
- argv[*argc] = s;
+ argv[*argc] = strdup(s);
+ if (sanitize_paths) {
+ sanitize_path(argv[*argc], NULL);
+ }
memset(&globbuf, 0, sizeof(globbuf));
glob(argv[*argc], 0, NULL, &globbuf);
#endif
}
-void glob_expand(char *base1, char **argv, int *argc, int maxargs, int sanitize_paths)
+void glob_expand(char *base1, char **argv, int *argc, int maxargs)
{
char *s = argv[*argc];
char *p, *q;
while ((p = strstr(q,base)) && ((*argc) < maxargs)) {
/* split it at this point */
*p = 0;
- glob_expand_one(q, argv, argc, maxargs, sanitize_paths);
+ glob_expand_one(q, argv, argc, maxargs);
q = p+strlen(base);
}
- if (*q && (*argc < maxargs)) glob_expand_one(q, argv, argc, maxargs, sanitize_paths);
+ if (*q && (*argc < maxargs)) glob_expand_one(q, argv, argc, maxargs);
free(s);
free(base);
/*
* Make path appear as if a chroot had occurred:
* 1. remove leading "/" (or replace with "." if at end)
- * 2. remove leading ".." components
+ * 2. remove leading ".." components (except those allowed by "reldir")
* 3. delete any other "<dir>/.." (recursively)
+ * If "reldir" is non-null, it is a sanitized directory that the path will be
+ * relative to, so allow as many ".." at the beginning of the path as
+ * there are components in reldir.
* While we're at it, remove double slashes and "." components like
* clean_fname does(), but DON'T remove a trailing slash because that
* is sometimes significant on command line arguments.
* Contributed by Dave Dykstra <dwd@bell-labs.com>
*/
-void sanitize_path(char *p)
+void sanitize_path(char *p, char *reldir)
{
char *start, *sanp;
+ int depth = 0;
+ int allowdotdot = 0;
+ if (reldir) {
+ depth++;
+ while (*reldir) {
+ if (*reldir++ == '/') {
+ depth++;
+ }
+ }
+ }
start = p;
sanp = p;
while (*p == '/') {
/* skip following slashes */
;
}
- } else if ((*p == '.') && (*(p+1) == '.') &&
+ continue;
+ }
+ allowdotdot = 0;
+ if ((*p == '.') && (*(p+1) == '.') &&
((*(p+2) == '/') || (*(p+2) == '\0'))) {
- /* skip ".." component followed by slash or end */
- p += 2;
- if (*p == '/')
- p++;
- if (sanp != start) {
- /* back up sanp one level */
- --sanp; /* now pointing at slash */
- while ((sanp > start) && (*(sanp - 1) != '/')) {
- /* skip back up to slash */
- sanp--;
+ /* ".." component followed by slash or end */
+ if ((depth > 0) && (sanp == start)) {
+ /* allow depth levels of .. at the beginning */
+ --depth;
+ allowdotdot = 1;
+ } else {
+ p += 2;
+ if (*p == '/')
+ p++;
+ if (sanp != start) {
+ /* back up sanp one level */
+ --sanp; /* now pointing at slash */
+ while ((sanp > start) && (*(sanp - 1) != '/')) {
+ /* skip back up to slash */
+ sanp--;
+ }
}
+ continue;
}
- } else {
- while (1) {
- /* copy one component through next slash */
- *sanp++ = *p++;
- if ((*p == '\0') || (*(p-1) == '/')) {
- while (*p == '/') {
- /* skip multiple slashes */
- p++;
- }
- break;
+ }
+ while (1) {
+ /* copy one component through next slash */
+ *sanp++ = *p++;
+ if ((*p == '\0') || (*(p-1) == '/')) {
+ while (*p == '/') {
+ /* skip multiple slashes */
+ p++;
}
+ break;
}
}
+ if (allowdotdot) {
+ /* move the virtual beginning to leave the .. alone */
+ start = sanp;
+ }
}
- if (sanp == start) {
+ if ((sanp == start) && !allowdotdot) {
/* ended up with nothing, so put in "." component */
*sanp++ = '.';
}
Matt McCutchen's Web Site / rsync / rsync.git / commitdiff