Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp.

--- krb5-1.3.3/src/appl/bsd/krcp.c	2003-05-12 18:20:15.000000000 -0400

+++ krb5-1.3.3/src/appl/bsd/krcp.c	2004-04-13 12:01:31.000000000 -0400

@@ -1088,6 +1088,10 @@

 	  size = size * 10 + (*cp++ - '0');

 	if (*cp++ != ' ')

 	  SCREWUP("size not delimited");

+	if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {

+	  error("error: unexpected filename: %s", cp);

+	  exit(1);

+	}

 	if (targisdir) {

           if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))

 	    SCREWUP("target name too long");

@@ -1101,6 +1105,8 @@

 	nambuf[sizeof(nambuf) - 1] = '\0';

 	exists = stat(nambuf, &stb) == 0;

 	if (cmdbuf[0] == 'D') {

+	    if (!iamrecursive)

+		SCREWUP("received directory without -r");

 	    if (exists) {

 		if ((stb.st_mode&S_IFMT) != S_IFDIR) {

 		    errno = ENOTDIR;

--- krb5-1.3.3/src/appl/bsd/v4rcp.c	2002-07-12 16:21:31.000000000 -0400

+++ krb5-1.3.3/src/appl/bsd/v4rcp.c	2004-04-13 12:01:53.000000000 -0400

@@ -801,6 +801,10 @@

 			size = size * 10 + (*cp++ - '0');

 		if (*cp++ != ' ')

 			SCREWUP("size not delimited");

+		if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {

+			error("error: unexpected filename: %s", cp);

+			exit(1);

+		}

 		if (targisdir) {

 			if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) {

 				(void) sprintf(nambuf, "%s%s%s", targ,

@@ -817,6 +821,8 @@

 		nambuf[sizeof(nambuf)-1] = '\0';

 		exists = stat(nambuf, &stb) == 0;

 		if (cmdbuf[0] == 'D') {

+			if (!iamrecursive)

+				SCREWUP("received directory without -r");

 			if (exists) {

 				if ((stb.st_mode&S_IFMT) != S_IFDIR) {

 					errno = ENOTDIR;