| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253 |
- From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001
- From: Daniel Stenberg <daniel@haxx.se>
- Date: Wed, 31 Jan 2018 08:40:11 +0100
- Subject: [PATCH] FTP: reject path components with control codes
- Refuse to operate when given path components featuring byte values lower
- than 32.
- Previously, inserting a %00 sequence early in the directory part when
- using the 'singlecwd' ftp method could make curl write a zero byte
- outside of the allocated buffer.
- Test case 340 verifies.
- CVE-2018-1000120
- Reported-by: Duy Phan Thanh
- Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
- ---
- lib/ftp.c | 8 ++++----
- tests/data/Makefile.inc | 3 +++
- tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 47 insertions(+), 4 deletions(-)
- create mode 100644 tests/data/test340
- --- a/lib/ftp.c
- +++ b/lib/ftp.c
- @@ -3235,7 +3235,7 @@ static CURLcode ftp_done(struct connectd
-
- if(!result)
- /* get the "raw" path */
- - result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
- + result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
- if(result) {
- /* We can limp along anyway (and should try to since we may already be in
- * the error path) */
- @@ -4241,7 +4241,7 @@ CURLcode ftp_parse_url_path(struct conne
- result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
- slash_pos ? dirlen : 1,
- &ftpc->dirs[0], NULL,
- - FALSE);
- + TRUE);
- if(result) {
- freedirs(ftpc);
- return result;
- @@ -4349,7 +4349,7 @@ CURLcode ftp_parse_url_path(struct conne
- size_t dlen;
- char *path;
- CURLcode result =
- - Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
- + Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
- if(result) {
- freedirs(ftpc);
- return result;
|
