Merge pull request #811 from schollz:schollz/issue796

fix: check whether path separator + ..

src/croc/croc.go

@@ -1220,7 +1220,16 @@ func (c *Client) processMessageFileInfo(m message.Message) (done bool, err error
 	for i, fi := range c.FilesToTransfer {
 		// Issues #593 - sanitize the sender paths and prevent ".." from being used
 		c.FilesToTransfer[i].FolderRemote = filepath.Clean(fi.FolderRemote)
-		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..") {
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "../") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "/..") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "\\..") {
+			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
+		}
+		if strings.Contains(c.FilesToTransfer[i].FolderRemote, "..\\") {
 			return true, fmt.Errorf("invalid path detected: '%s'", fi.FolderRemote)
 		}
 		// Issues #593 - disallow specific folders like .ssh