From 9f86ddc9652247233f32b241a79d5aa4fb9d4afa Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Tue, 26 Nov 2024 09:16:31 +1100
Subject: [PATCH] disallow ../ elements in relpath for secure_relative_open

CVE: CVE-2024-12086

Upstream-Status: Backport [https://git.samba.org/?p=rsync.git;a=commit;h=9f86ddc9652247233f32b241a79d5aa4fb9d4afa]

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 syscall.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/syscall.c b/syscall.c
index cffc814b..081357bb 100644
--- a/syscall.c
+++ b/syscall.c
@@ -716,6 +716,8 @@ int do_open_nofollow(const char *pathname, int flags)
   must be a relative path, and the relpath must not contain any
   elements in the path which follow symlinks (ie. like O_NOFOLLOW, but
   applies to all path components, not just the last component)
+
+  The relpath must also not contain any ../ elements in the path
 */
 int secure_relative_open(const char *basedir, const char *relpath, int flags, mode_t mode)
 {
@@ -724,6 +726,11 @@ int secure_relative_open(const char *basedir, const char *relpath, int flags, mo
		errno = EINVAL;
		return -1;
	}
+	if (strncmp(relpath, "../", 3) == 0 || strstr(relpath, "/../")) {
+		// no ../ elements allowed in the relpath
+		errno = EINVAL;
+		return -1;
+	}

 #if !defined(O_NOFOLLOW) || !defined(O_DIRECTORY)
	// really old system, all we can do is live with the risks
--
2.40.0