krb5/krb5-1.3.3-rcp-markus.dif

Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp.

Index: krb5-1.6.3/src/appl/bsd/krcp.c
===================================================================
--- krb5-1.6.3.orig/src/appl/bsd/krcp.c
+++ krb5-1.6.3/src/appl/bsd/krcp.c
@@ -1096,6 +1096,10 @@ void sink(argc, argv)
 	  size = size * 10 + (*cp++ - '0');
 	if (*cp++ != ' ')
 	  SCREWUP("size not delimited");
+	if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+	  error("error: unexpected filename: %s", cp);
+	  exit(1);
+	}
 	if (targisdir) {
           if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))
 	    SCREWUP("target name too long");
@@ -1109,6 +1113,8 @@ void sink(argc, argv)
 	nambuf[sizeof(nambuf) - 1] = '\0';
 	exists = stat(nambuf, &stb) == 0;
 	if (cmdbuf[0] == 'D') {
+	    if (!iamrecursive)
+		SCREWUP("received directory without -r");
 	    if (exists) {
 		if ((stb.st_mode&S_IFMT) != S_IFDIR) {
 		    errno = ENOTDIR;
Index: krb5-1.6.3/src/appl/bsd/v4rcp.c
===================================================================
--- krb5-1.6.3.orig/src/appl/bsd/v4rcp.c
+++ krb5-1.6.3/src/appl/bsd/v4rcp.c
@@ -807,6 +807,10 @@ void sink(argc, argv)
 			size = size * 10 + (*cp++ - '0');
 		if (*cp++ != ' ')
 			SCREWUP("size not delimited");
+		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+			error("error: unexpected filename: %s", cp);
+			exit(1);
+		}
 		if (targisdir) {
 			if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) {
 				(void) sprintf(nambuf, "%s%s%s", targ,
@@ -823,6 +827,8 @@ void sink(argc, argv)
 		nambuf[sizeof(nambuf)-1] = '\0';
 		exists = stat(nambuf, &stb) == 0;
 		if (cmdbuf[0] == 'D') {
+			if (!iamrecursive)
+				SCREWUP("received directory without -r");
 			if (exists) {
 				if ((stb.st_mode&S_IFMT) != S_IFDIR) {
 					errno = ENOTDIR;