From a27e07d90a4608ceaf928b1babb27d4d803e1992 Mon Sep 17 00:00:00 2001
From: "Alexander V. Lukyanov" <lavv17f@gmail.com>
Date: Tue, 31 Jul 2018 10:57:35 +0300
Subject: [PATCH] mirror: prepend ./ to rm and chmod arguments to avoid URL
 recognition (fix #452)

CVE: CVE-2018-10916
Upstream-Status: Backport from v4.8.4

Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
---
 src/MirrorJob.cc | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/src/MirrorJob.cc b/src/MirrorJob.cc
index cf106c40..0be45431 100644
--- a/src/MirrorJob.cc
+++ b/src/MirrorJob.cc
@@ -1164,24 +1164,21 @@ int   MirrorJob::Do()
 	    }
 	    continue;
 	 }
+	 bool use_rmdir = (file->TypeIs(file->DIRECTORY)
+			   && recursion_mode==RECURSION_NEVER);
 	 if(script)
 	 {
-	    ArgV args("rm");
-	    if(file->TypeIs(file->DIRECTORY))
-	    {
-	       if(recursion_mode==RECURSION_NEVER)
-		  args.setarg(0,"rmdir");
-	       else
-		  args.Append("-r");
-	    }
+	    ArgV args(use_rmdir?"rmdir":"rm");
+	    if(file->TypeIs(file->DIRECTORY) && !use_rmdir)
+	       args.Append("-r");
 	    args.Append(target_session->GetFileURL(file->name));
 	    xstring_ca cmd(args.CombineQuoted());
 	    fprintf(script,"%s\n",cmd.get());
 	 }
 	 if(!script_only)
 	 {
-	    ArgV *args=new ArgV("rm");
-	    args->Append(file->name);
+	    ArgV *args=new ArgV(use_rmdir?"rmdir":"rm");
+	    args->Append(dir_file(".",file->name));
 	    args->seek(1);
 	    rmJob *j=new rmJob(target_session->Clone(),args);
 	    j->cmdline.set_allocated(args->Combine());
@@ -1185,10 +1182,7 @@ int   MirrorJob::Do()
 	    if(file->TypeIs(file->DIRECTORY))
 	    {
 	       if(recursion_mode==RECURSION_NEVER)
-	       {
-		  args->setarg(0,"rmdir");
 		  j->Rmdir();
-	       }
 	       else
 		  j->Recurse();
 	    }
@@ -1252,7 +1246,7 @@ int   MirrorJob::Do()
 	 if(!script_only)
 	 {
 	    ArgV *a=new ArgV("chmod");
-	    a->Append(file->name);
+	    a->Append(dir_file(".",file->name));
 	    a->seek(1);
 	    ChmodJob *cj=new ChmodJob(target_session->Clone(),
 				 file->mode&~mode_mask,a);
@@ -1372,7 +1366,7 @@ int   MirrorJob::Do()
 	 if(!script_only)
 	 {
 	    ArgV *args=new ArgV("rm");
-	    args->Append(file->name);
+	    args->Append(dir_file(".",file->name));
 	    args->seek(1);
 	    rmJob *j=new rmJob(source_session->Clone(),args);
 	    j->cmdline.set_allocated(args->Combine());
-- 
2.13.3