Land rapid7#7931, Fix CVE-2017-5231 and respect user's dest

Brent Cook · Brent Cook · commit 522c6dce8e8a · 2017-02-07T19:22:17.000-06:00
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
@@ -442,7 +442,7 @@ def cmd_download(*args)
           files.each do |file|
             src_separator = client.fs.file.separator
             src_path = file['path'] + client.fs.file.separator + file['name']
-            dest_path = src_path.tr(src_separator, ::File::SEPARATOR)
+            dest_path = ::File.join(dest, ::Rex::FileUtils::clean_path(file['path'].tr(src_separator, ::File::SEPARATOR)))
 
             client.fs.file.download(dest_path, src_path, opts) do |step, src, dst|
               print_status("#{step.ljust(11)}: #{src} -> #{dst}")
