Merge cherrypicks of [17605899] into rvc-platform-release.android-platform-11.0.0_r38android-platform-11.0.0_r37android-platform-11.0.0_r36android-platform-11.0.0_r35android-platform-11.0.0_r34android-platform-11.0.0_r33android-platform-11.0.0_r32android-platform-11.0.0_r31android-platform-11.0.0_r30android-platform-11.0.0_r29android-platform-11.0.0_r28android-platform-11.0.0_r27android-platform-11.0.0_r26android-platform-11.0.0_r25android-platform-11.0.0_r24android-platform-11.0.0_r23android-platform-11.0.0_r22android-platform-11.0.0_r21android-platform-11.0.0_r20android-platform-11.0.0_r19

Change-Id: I6ff19cc9220deee8a506e9ed4e64e1e644244537

1 files changed, 11 insertions, 0 deletions

diff --git a/adb/client/file_sync_client.cpp b/adb/client/file_sync_client.cpp
index e686973db..3374812d5 100644
--- a/adb/client/file_sync_client.cpp
+++ b/adb/client/file_sync_client.cpp
@@ -477,6 +477,17 @@ class SyncConnection {
             if (!ReadFdExactly(fd, buf, len)) return false;
             buf[len] = 0;
 
+            // Address the unlikely scenario wherein a
+            // compromised device/service might be able to
+            // traverse across directories on the host. Let's
+            // shut that door!
+            if (strchr(buf, '/')
+#if defined(_WIN32)
+                || strchr(buf, '\\')
+#endif
+            ) {
+                return false;
+            }
             callback(dent.mode, dent.size, dent.mtime, buf);
         }
     }