X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=pscp.c;h=0fa1839af5db8da5d35771278a10e847b79c82e9;hb=fb6a1e9d428d7df9644d2413b04f500fa6413b02;hp=1c601e979363cc356abc75526c2c0585ba13d9e1;hpb=89f4cf6a0a6bde2885287cd9cc8f95d639fe99a0;p=PuTTY.git

diff --git a/pscp.c b/pscp.c
index 1c601e97..0fa1839a 100644
--- a/pscp.c
+++ b/pscp.c
@@ -687,7 +687,6 @@ void scp_sftp_listdir(char *dirname)
 
 	    for (i = 0; i < names->nnames; i++)
 		ournames[nnames++] = names->names[i];
-
 	    names->nnames = 0;	       /* prevent free_names */
 	    fxp_free_names(names);
 	}
@@ -1289,8 +1288,21 @@ int scp_get_sink_action(struct scp_sink_action *act)
 		    namesize += names->nnames + 128;
 		    ournames = sresize(ournames, namesize, struct fxp_name);
 		}
-		for (i = 0; i < names->nnames; i++)
-		    ournames[nnames++] = names->names[i];
+		for (i = 0; i < names->nnames; i++) {
+		    if (!strcmp(names->names[i].filename, ".") ||
+			!strcmp(names->names[i].filename, "..")) {
+			/*
+			 * . and .. are normal consequences of
+			 * reading a directory, and aren't worth
+			 * complaining about.
+			 */
+		    } else if (!vet_filename(names->names[i].filename)) {
+			tell_user(stderr, "ignoring potentially dangerous server-"
+				  "supplied filename '%s'\n",
+				  names->names[i].filename);
+		    } else
+			ournames[nnames++] = names->names[i];
+		}
 		names->nnames = 0;	       /* prevent free_names */
 		fxp_free_names(names);
 	    }