From 8c4594ad31e1150fab162f3c6d5e4e22c041e93f Mon Sep 17 00:00:00 2001
From: Zack Scholl <zack.scholl@gmail.com>
Date: Tue, 17 Sep 2024 06:39:04 -0700
Subject: [PATCH] fix: check whether path separator + ..

---
 src/croc/croc.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/croc/croc.go b/src/croc/croc.go
index 2b3f8820d..35539a8d4 100644
--- a/src/croc/croc.go
+++ b/src/croc/croc.go
@@ -1220,7 +1220,16 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error
 	for i, fi := range c.FilesToTransfer {
 		// Issues #593 - sanitize the sender paths and prevent ".." from being used
 		c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote)
-		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") {
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "../") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "/..") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "\\..") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..\\") {
 			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
 		}
 		// Issues #593 - disallow specific folders like .ssh