[PATCH] FISH DoS when copying file with '`' in name to remote FS

From: Jindrich Novy <jnovy redhat com>
To: MC Devel <mc-devel gnome org>
Subject: [PATCH] FISH DoS when copying file with '`' in name to remote FS
Date: Wed, 08 Nov 2006 19:37:47 +0100

Hi all,

there's a problem when copying file named like "file`" to remote
filesystem via FISH. It simply won't do anything because of error in
BASH script which is generated in vfs/fish.c caused by the filename.
Attached patch should fix it.

References:
http://bugzilla.redhat.com/214255

Jindrich
-- 
Jindrich Novy <jnovy redhat com>, http://people.redhat.com/jnovy/
(o_                                                           _o)
//\      The worst evil in the world is refusal to think.     //\
V_/_                                                         _\_V

--- mc/vfs/fish.c.fishfix	2006-11-08 19:23:12.000000000 +0100
+++ mc/vfs/fish.c	2006-11-08 19:21:49.000000000 +0100
@@ -532,40 +532,42 @@
 	n = fish_command (me, super, WAIT_REPLY,
 		 "#STOR %lu /%s\n"
 		 "echo '### 001'\n"
+		 "file=/%s\n"
                  "res=`exec 3>&1\n"
 		 "(\n"
 		   "head -c %lu -q - || echo DD >&3\n"
 		 ") 2>/dev/null | (\n"
-		   "cat > /%s\n"
+		   "cat > \"$file\"\n"
 		   "cat > /dev/null\n"
 		 ")`; [ \"$res\" = DD ] && {\n"
-			"> /%s\n"
+			"> \"$file\"\n"
 			"rest=%lu\n"
 			"while [ $rest -gt 0 ]\n"
 			"do\n"
 			"    cnt=`expr \\( $rest + 255 \\) / 256`\n"
-			"    n=`dd bs=256 count=$cnt | tee -a /%s | wc -c`\n"
+			"    n=`dd bs=256 count=$cnt | tee -a \"$file\" | wc -c`\n"
 			"    rest=`expr $rest - $n`\n"
 			"done\n"
 		 "}; echo '### 200'\n",
 		 (unsigned long) s.st_size, name,
-		 (unsigned long) s.st_size, quoted_name,
-		 quoted_name, (unsigned long) s.st_size, quoted_name);
+		 quoted_name, (unsigned long) s.st_size,
+		 (unsigned long) s.st_size);
     else
 	n = fish_command (me, super, WAIT_REPLY,
 		 "#STOR %lu /%s\n"
 		 "echo '### 001'\n"
 		 "{\n"
+			"file=/%s\n"
 			"rest=%lu\n"
 			"while [ $rest -gt 0 ]\n"
 			"do\n"
 			"    cnt=`expr \\( $rest + 255 \\) / 256`\n"
-			"    n=`dd bs=256 count=$cnt | tee -a /%s | wc -c`\n"
+			"    n=`dd bs=256 count=$cnt | tee -a \"$file\" | wc -c`\n"
 			"    rest=`expr $rest - $n`\n"
 			"done\n"
 		 "}; echo '### 200'\n",
 		 (unsigned long) s.st_size, name,
-		 (unsigned long) s.st_size, quoted_name);
+		 quoted_name, (unsigned long) s.st_size);
 
     g_free (quoted_name);
     if (n != PRELIM) {

Follow-Ups:
- Re: [PATCH] FISH DoS when copying file with '`' in name to remote FS
  - From: Leonard den Ottolander

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]