From ce4f4c5cf705b7c4e1a6ed93675998d51aa3ca56 Mon Sep 17 00:00:00 2001
From: psychon <psychon@726aef4b-f618-498e-8847-2d620e286838>
Date: Tue, 21 Jul 2009 18:49:02 +0000
Subject: [PATCH] Fix a high-impact directory traversal bug

You can upload files to znc via /dcc send *status. The files will be saved in
<datadir>/users/<user>/downloads/. The code for this didn't do any checking on
the file name at all and thus allowed directory traversal attacks by all znc
users (no admin privileges required!).

By exploiting this bug, attackers could e.g. upload a new ssh authorized_keys
file or upload a znc module which lets everyone gain shell access. Anything is
possible.

Again:
ONLY A NORMAL USER ACCOUNT NEEDED, no admin privileges.
THE ATTACKER GOT WRITE ACCESS TO ALL PLACES ZNC GOT WRITE ACCESS TO.


git-svn-id: https://znc.svn.sourceforge.net/svnroot/znc/trunk@1570 726aef4b-f618-498e-8847-2d620e286838
---
 Client.cpp | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/Client.cpp b/Client.cpp
index ad7d2de1..648a1a8d 100644
--- a/Client.cpp
+++ b/Client.cpp
@@ -421,9 +421,14 @@ void CClient::ReadLine(const CString& sData) {
 								return;
 							}
 
-							CString sLocalFile = sPath + "/" + sFile;
+							CString sAbsolutePath = CDir::CheckPathPrefix(sPath, sFile);
 
-							m_pUser->GetFile(GetNick(), CUtils::GetIP(uLongIP), uPort, sLocalFile, uFileSize);
+							if (sAbsolutePath.empty()) {
+								PutStatus("Illegal path.");
+								return;
+							}
+
+							m_pUser->GetFile(GetNick(), CUtils::GetIP(uLongIP), uPort, sAbsolutePath, uFileSize);
 						} else {
 							MODULECALL(OnDCCUserSend(CString(m_pUser->GetStatusPrefix() + sTarget), uLongIP, uPort, sFile, uFileSize), m_pUser, this, return);
 						}