[ntpsec commit] Plug a potential vulnerability on OpenVMS or Stratus VOS.

[Eric S. Raymond]

Module:    ntpsec
Branch:    master
Commit:    92cb53783a6d8a3508c5d6a57bcbc940881c2a72
Changeset: http://git.ntpsec.org/ntpsec/commit/?id=92cb53783a6d8a3508c5d6a57bcbc940881c2a72

Author:    Eric S. Raymond <esr at thyrsus.com>
Date:      Thu Oct  1 13:52:38 2015 -0400

Plug a potential vulnerability on OpenVMS or Stratus VOS.

---

 ntpd/ntp_control.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index a2d5163..5f9c40f 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -856,14 +856,17 @@ save_config(
 		strlcpy(filename, filespec, sizeof(filename));
 
 	/*
-	 * Conceptually we should be searching for DIRSEP in filename,
+	 * Conceptually we should be searching for DIR_SEP in filename,
 	 * however Windows actually recognizes both forward and
 	 * backslashes as equivalent directory separators at the API
 	 * level.  On POSIX systems we could allow '\\' but such
 	 * filenames are tricky to manipulate from a shell, so just
-	 * reject both types of slashes on all platforms.
+	 * reject both types of slashes on all platforms.  We add 
+	 * DIR_SEP anyway so we don't have a vulnerability pop up
+	 * in case the code is ported to OpenVMS or Stratus VOS or
+	 * something.
 	 */
-	if (strchr(filename, '\\') || strchr(filename, '/')) {
+	if (strchr(filename, DIR_SEP) || strchr(filename, '\\') || strchr(filename, '/')) {
 		snprintf(reply, sizeof(reply),
 			 "saveconfig does not allow directory in filename");
 		ctl_putdata(reply, strlen(reply), 0);