filename_convert_dirfsp() doesn't check the smb.conf veto files parameter and so getting files that match, or getting files from a directory that matches is allowed where we should return an error. Such files are never seen by the client, as smbd_dirptr_get_entry() calls IS_VETO_PATH(). Working on test + patch.
Created attachment 17469 [details] git-am fix for master. Tests then adds the missing veto files checks in filename_convert_dirfsp_nosymlink(). I'll run through ci, but it's currently pending https://gitlab.com/samba-team/samba/-/merge_requests/2662 as it's based on top of that.
Created attachment 17470 [details] git-am fix for master. Better version with DBG_DEBUG statements so an admin can see if we rejected a filename. Running ci on it now.
Ci passes here: https://gitlab.com/samba-team/devel/samba/-/pipelines/610650088 Now all I need is for: https://gitlab.com/samba-team/samba/-/merge_requests/2662 to go in first and I'm good to go :-).
Comment on attachment 17470 [details] git-am fix for master. New version in ci.
This bug was referenced in samba master: c6933673222ea9ae2eb74d5586c9495269f51ea0 1c293060204d96bf94427f91eb20eb9decc29a41 1654eae11b9c13308b2b78f70309eb3a56960619
This bug was referenced in samba v4-17-test: 80c090c87b2898af7f793e1289efd66b279a0e5c 9e32b03e1eec07485582c6c0ea67f2f3a7ea89fd ff46ee6ad51be64264f706cf7965ad178033ddd2
This bug was referenced in samba v4-17-stable (Release samba-4.17.0rc2): 80c090c87b2898af7f793e1289efd66b279a0e5c 9e32b03e1eec07485582c6c0ea67f2f3a7ea89fd ff46ee6ad51be64264f706cf7965ad178033ddd2