can't send files with `..` in filename

schollz / croc

Easily and securely send things from one computer to another :crocodile: :package:

https://schollz.com/software/croc6

MIT License

27.64k stars 1.1k forks source link

can't send files with `..` in filename #796

Open z-erica opened 2 weeks ago

z-erica commented 2 weeks ago

receiving side:

Enter receive code: [...]
securing channel...2024/09/01 07:42:35 basename cannot contain '..': '[...]'

croc version v10.0.11

nekopsykose commented 2 weeks ago

to be clear, it means filenames like mysupercoolfilename..mp4, and not things with a leading ..

nekopsykose commented 2 weeks ago

https://github.com/schollz/croc/blob/01609df9024ab6a81e212a1d662d9628be947851/src/utils/utils.go#L598 should probably be something like StartsWith instead of Contains but i don't know if there's more filename based pitfalls to be aware of

asukaminato0721 commented 1 week ago

https://github.com/schollz/croc/blob/01609df9024ab6a81e212a1d662d9628be947851/src/utils/utils.go#L598 should probably be something like StartsWith instead of Contains but i don't know if there's more filename based pitfalls to be aware of

https://stackoverflow.com/questions/12667327/go-startswithstr-string

if strings.HasPrefix(basename, "..") {

schollz commented 1 week ago

Anytime ".." is next to a path separator should be excluded