daemon: sanitize all directory separators

When sanitizing client-supplied strings on Windows, also strip off backslashes, not just slashes. Signed-off-by: René Scharfe <l.s.r@web.de> Acked-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
author: René Scharfe <l.s.r@web.de> 2021-03-25 17:21:24 +0100
committer: Junio C Hamano <gitster@pobox.com> 2021-03-26 22:00:12 -0700
commit: 9a7f1ce8b78dae09cf4510a98bd6b81d0d478772 (patch)
tree: c2ec80cb1429ee8624fe4847e77c0d0a80517e1f
parent: Git 2.31 (diff)
download: tgif-9a7f1ce8b78dae09cf4510a98bd6b81d0d478772.tar.xz
1 files changed, 4 insertions, 4 deletions
diff --git a/daemon.c b/daemon.c
index 2ab7ea82eb..0561c19ee8 100644
--- a/daemon.c
+++ b/daemon.c
@@ -566,14 +566,14 @@ static void parse_host_and_port(char *hostport, char **host,
 
 /*
  * Sanitize a string from the client so that it's OK to be inserted into a
- * filesystem path. Specifically, we disallow slashes, runs of "..", and
- * trailing and leading dots, which means that the client cannot escape
- * our base path via ".." traversal.
+ * filesystem path. Specifically, we disallow directory separators, runs
+ * of "..", and trailing and leading dots, which means that the client
+ * cannot escape our base path via ".." traversal.
  */
 static void sanitize_client(struct strbuf *out, const char *in)
 {
 	for (; *in; in++) {
-		if (*in == '/')
+		if (is_dir_sep(*in))
 			continue;
 		if (*in == '.' && (!out->len || out->buf[out->len - 1] == '.'))
 			continue;
author	René Scharfe <l.s.r@web.de>	2021-03-25 17:21:24 +0100
committer	Junio C Hamano <gitster@pobox.com>	2021-03-26 22:00:12 -0700
commit	9a7f1ce8b78dae09cf4510a98bd6b81d0d478772 (patch)
tree	c2ec80cb1429ee8624fe4847e77c0d0a80517e1f
parent	Git 2.31 (diff)
download	tgif-9a7f1ce8b78dae09cf4510a98bd6b81d0d478772.tar.xz