Bug 1675: Prevent SCP server sending files that were not requested

https://winscp.net/tracker/1675 Source commit: 4aa587620973bf793fb6e783052277c0f7be4b55
winscp · Sep 3, 2018 · 49d876f · 49d876f
1 parent ec5977b
commit 49d876f
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/source/core/ScpFileSystem.cpp b/source/core/ScpFileSystem.cpp
@@ -2361,6 +2361,10 @@ void __fastcall TSCPFileSystem::SCPSink(const UnicodeString TargetDir,
           {
             FTerminal->LogEvent(FORMAT(L"Warning: Remote host set a compound pathname '%s'", (Line)));
           }
+          if ((Level == 0) && (OnlyFileName != UnixExtractFileName(FileName)))
+          {
+            SCPError(LoadStr(UNREQUESTED_FILE), False);
+          }
 
           FullFileName = SourceDir + OnlyFileName;
           OperationProgress->SetFile(FullFileName);

diff --git a/source/resource/TextsCore.h b/source/resource/TextsCore.h
@@ -270,6 +270,7 @@
 #define S3_STATUS_ACCESS_DENIED 746
 #define UNKNOWN_FILE_ENCRYPTION 747
 #define INVALID_ENCRYPT_KEY     748
+#define UNREQUESTED_FILE        749
 
 #define CORE_CONFIRMATION_STRINGS 300
 #define CONFIRM_PROLONG_TIMEOUT3 301

diff --git a/source/resource/TextsCore1.rc b/source/resource/TextsCore1.rc
@@ -241,6 +241,7 @@ BEGIN
   MISSING_TARGET_BUCKET, "Specify target bucket."
   UNKNOWN_FILE_ENCRYPTION, "File is not encrypted using a known encryption."
   INVALID_ENCRYPT_KEY, "**Invalid encryption key.**\n\nEncryption key for %s encryption must have %d bytes. It must be entered in hexadecimal representation (i.e. %d characters)."
+  UNREQUESTED_FILE, "Server sent a file that was not requested."
 
   CORE_CONFIRMATION_STRINGS, "CORE_CONFIRMATION"
   CONFIRM_PROLONG_TIMEOUT3, "Host is not communicating for %d seconds.\n\nWait for another %0:d seconds?"