head	1.4;
access;
symbols
	RELEASE_8_3_0:1.4
	RELEASE_9_0_0:1.4
	RELEASE_7_4_0:1.4
	RELEASE_8_2_0:1.4
	RELEASE_6_EOL:1.4
	RELEASE_8_1_0:1.4
	RELEASE_7_3_0:1.4
	RELEASE_8_0_0:1.3
	RELEASE_7_2_0:1.3
	RELEASE_7_1_0:1.3
	RELEASE_6_4_0:1.3
	RELEASE_5_EOL:1.3
	RELEASE_7_0_0:1.3
	RELEASE_6_3_0:1.3
	PRE_XORG_7:1.3
	RELEASE_4_EOL:1.3
	RELEASE_6_2_0:1.3
	RELEASE_6_1_0:1.3
	RELEASE_5_5_0:1.3
	RELEASE_6_0_0:1.3
	RELEASE_5_4_0:1.3
	RELEASE_4_11_0:1.3
	RELEASE_5_3_0:1.3
	RELEASE_4_10_0:1.2
	RELEASE_5_2_1:1.2
	RELEASE_5_2_0:1.2
	RELEASE_4_9_0:1.2;
locks; strict;
comment	@# @;


1.4
date	2009.10.26.13.27.24;	author ache;	state Exp;
branches;
next	1.3;

1.3
date	2004.05.26.17.57.30;	author ache;	state Exp;
branches;
next	1.2;

1.2
date	2003.07.29.03.41.54;	author ache;	state Exp;
branches;
next	1.1;

1.1
date	2003.07.28.14.43.08;	author ache;	state Exp;
branches;
next	;


desc
@@


1.4
log
@Upgrade to 6.0

PR:             139971
@
text
@--- unix/unix.c.orig	2009-01-24 02:31:26.000000000 +0300
+++ unix/unix.c	2009-10-26 13:22:08.000000000 +0300
@@@@ -610,7 +610,7 @@@@
                  * else allow 8-bit characters (e.g. UTF-8) in filenames:
                  */
                 if (uO.cflxflag ||
-                    (isprint(workch) || (128 <= workch && workch <= 254)))
+		    (isprint(workch) || (128 <= workch && workch <= 255)))
                     *pp++ = (char)workch;
         } /* end switch */
 
@


1.3
log
@Upgrade to 5.51
@
text
@d1 8
a8 8
--- unix/unix.c.bak	Wed May 26 21:40:00 2004
+++ unix/unix.c	Wed May 26 21:40:09 2004
@@@@ -533,7 +533,7 @@@@
 
             default:
                 /* allow European characters in filenames: */
-                if (isprint(workch) || (128 <= workch && workch <= 254))
+                if (isprint(workch) || (128 <= workch && workch <= 255))
@


1.2
log
@Use better ../ & control vulnerability fix

Submitted by:   ITO Tsuyoshi <tsuyoshi@@is.s.u-tokyo.ac.jp>
@
text
@d1 3
a3 64
--- unix/unix.c.orig	Tue Jan 22 01:54:42 2002
+++ unix/unix.c	Tue Jul 29 07:36:54 2003
@@@@ -431,6 +431,7 @@@@
     int killed_ddot = FALSE;       /* is set when skipping "../" pathcomp */
     int error = MPN_OK;
     register unsigned workch;      /* hold the character being tested */
+    int ignore_pathcomp;
 
 
 /*---------------------------------------------------------------------------
@@@@ -466,33 +467,34 @@@@
 
     while ((workch = (uch)*cp++) != 0) {
 
-        if (quote) {                 /* if character quoted, */
-            *pp++ = (char)workch;    /*  include it literally */
+        if (quote) {  /* if character quoted, include it literally */
+                      /* unless it is a slash */
+                      /* A slash should be converted to an underscore */
+            *pp++ = (workch == '/' ? '_' : (char)workch);
             quote = FALSE;
         } else
             switch (workch) {
             case '/':             /* can assume -j flag not given */
                 *pp = '\0';
-                if (((error = checkdir(__G__ pathcomp, APPEND_DIR)) & MPN_MASK)
-                     > MPN_INF_TRUNC)
-                    return error;
-                pp = pathcomp;    /* reset conversion buffer for next piece */
-                lastsemi = (char *)NULL; /* leave directory semi-colons alone */
-                break;
-
-            case '.':
-                if (pp == pathcomp) {   /* nothing appended yet... */
-                    if (*cp == '/') {   /* don't bother appending "./" to */
-                        ++cp;           /*  the path: skip behind the '/' */
-                        break;
-                    } else if (!uO.ddotflag && *cp == '.' && cp[1] == '/') {
+                ignore_pathcomp = FALSE;
+                if (*pathcomp == '.') {
+                    if (pathcomp[1] == '\0') {
+                        /* don't bother appending "./" to the path */
+                        ignore_pathcomp = TRUE;
+                    }
+                    else if (pathcomp[1] == '.' && pathcomp[2] == '\0' && !uO.ddotflag) {
                         /* "../" dir traversal detected */
-                        cp += 2;        /*  skip over behind the '/' */
+                        ignore_pathcomp = TRUE;
                         killed_ddot = TRUE; /*  set "show message" flag */
-                        break;
                     }
                 }
-                *pp++ = '.';
+                if (!ignore_pathcomp) {
+                    if (((error = checkdir(__G__ pathcomp, APPEND_DIR)) & MPN_MASK)
+                        > MPN_INF_TRUNC)
+                        return error;
+                }
+                pp = pathcomp;    /* reset conversion buffer for next piece */
+                lastsemi = (char *)NULL; /* leave directory semi-colons alone */
                 break;
 
             case ';':             /* VMS version (or DEC-20 attrib?) */
@@@@ -519,7 +521,7 @@@@
d10 1
a10 1
             } /* end switch */
@


1.1
log
@Close vulnerability with control char between two dots.
Allow 255 char in file names.
@
text
@d2 2
a3 14
+++ unix/unix.c	Mon Jul 28 18:36:17 2003
@@@@ -421,7 +421,8 @@@@
  */
 {
     char pathcomp[FILNAMSIZ];      /* path-component buffer */
-    char *pp, *cp=(char *)NULL;    /* character pointers */
+    char *pp, *cp=(char *)NULL,    /* character pointers */
+         *dp=(char *)NULL;
     char *lastsemi=(char *)NULL;   /* pointer to last semi-colon in pathcomp */
 #ifdef ACORN_FTYPE_NFS
     char *lastcomma=(char *)NULL;  /* pointer to last comma in pathcomp */
@@@@ -429,6 +430,7 @@@@
 #endif
     int quote = FALSE;             /* flags */
a4 1
+    int snarf_ddot = FALSE;	   /* Is set while scanning for "../" */
d7 5
a12 1
@@@@ -467,6 +469,9 @@@@
d15 6
a20 5
         if (quote) {                 /* if character quoted, */
+	    if ((pp == pathcomp) && (workch == '.'))
+		/* Oh no you don't... */
+		goto ddot_hack;
             *pp++ = (char)workch;    /*  include it literally */
d23 11
a33 4
@@@@ -481,15 +486,44 @@@@
                 break;
 
             case '.':
d35 3
a37 6
+                if (pp == pathcomp) {
+ddot_hack:
+		    /* nothing appended yet... */
                     if (*cp == '/') {   /* don't bother appending "./" to */
                         ++cp;           /*  the path: skip behind the '/' */
                         break;
d39 8
a46 1
-                        /* "../" dir traversal detected */
d48 2
a49 1
-                        killed_ddot = TRUE; /*  set "show message" flag */
a50 32
+                    } else if (!uO.ddotflag) {
+
+			/*
+			 * SECURITY: Skip past control characters if the user
+			 * didn't OK use of absolute pathnames. lhh - this is
+			 * a very quick, ugly, inefficient fix.
+			 */
+			dp = cp;
+			do {
+			    workch = (uch)(*dp);
+			    if (workch == '/' && snarf_ddot) {
+                                /* "../" dir traversal detected */
+                                cp = dp + 1;      /* skip past the '/' */
+                                killed_ddot = TRUE; /* set "show msg" flag */
+                                break;
+                            } else if (workch == '.' && !snarf_ddot) {
+				snarf_ddot = TRUE;
+                	    } else if (isprint(workch) ||
+				       ((workch > 127) && (workch <= 255))) {
+				/*
+				 * Since we found a printable, non-ctrl char,
+				 * we can stop looking for '../', the amount
+				 * in ../!
+				 */
+			        break;
+			    }
+
+			    dp++;
+                        } while (*dp != 0);
+
+			if (killed_ddot)
+			    break;
d53 12
a64 2
                 *pp++ = '.';
@@@@ -519,7 +553,7 @@@@
d69 1
a69 1
+		if (isprint(workch) || (128 <= workch && workch <= 255))
@

