From 9a7f1ce8b78dae09cf4510a98bd6b81d0d478772 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Scharfe?= Date: Thu, 25 Mar 2021 17:21:24 +0100 Subject: [PATCH] daemon: sanitize all directory separators MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When sanitizing client-supplied strings on Windows, also strip off backslashes, not just slashes. Signed-off-by: René Scharfe Acked-by: Johannes Schindelin Signed-off-by: Junio C Hamano --- daemon.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/daemon.c b/daemon.c index 2ab7ea82eb0..0561c19ee8b 100644 --- a/daemon.c +++ b/daemon.c @@ -566,14 +566,14 @@ static void parse_host_and_port(char *hostport, char **host, /* * Sanitize a string from the client so that it's OK to be inserted into a - * filesystem path. Specifically, we disallow slashes, runs of "..", and - * trailing and leading dots, which means that the client cannot escape - * our base path via ".." traversal. + * filesystem path. Specifically, we disallow directory separators, runs + * of "..", and trailing and leading dots, which means that the client + * cannot escape our base path via ".." traversal. */ static void sanitize_client(struct strbuf *out, const char *in) { for (; *in; in++) { - if (*in == '/') + if (is_dir_sep(*in)) continue; if (*in == '.' && (!out->len || out->buf[out->len - 1] == '.')) continue;