bagder/reject-file-embeded-%00 Secret

## reject-file-embeded-%00
From 1f648221a2f9b7fba621ad53a54117e92a393bd3 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 25 Sep 2014 13:44:24 +0200
Subject: [PATCH] file: reject paths using embedded %00

Mostly because we use C strings and they end at a binary zero so we know
we can't open a file name using an embedded binary zero.

Reported-by: Pierre Joye
---
 lib/file.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/lib/file.c b/lib/file.c
index 73df42e..230f1c2 100644
--- a/lib/file.c
+++ b/lib/file.c
@@ -194,12 +194,13 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
   int fd;
 #ifdef DOS_FILESYSTEM
   int i;
   char *actual_path;
 #endif
+  int real_path_len;

-  real_path = curl_easy_unescape(data, data->state.path, 0, NULL);
+  real_path = curl_easy_unescape(data, data->state.path, 0, &real_path_len);
   if(!real_path)
     return CURLE_OUT_OF_MEMORY;

 #ifdef DOS_FILESYSTEM
   /* If the first character is a slash, and there's
@@ -220,20 +221,27 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
   if((actual_path[0] == '/') &&
       actual_path[1] &&
      (actual_path[2] == ':' || actual_path[2] == '|')) {
     actual_path[2] = ':';
     actual_path++;
+    real_path_len--;
   }

   /* change path separators from '/' to '\\' for DOS, Windows and OS/2 */
-  for(i=0; actual_path[i] != '\0'; ++i)
+  for(i=0; i < real_path_len; ++i)
     if(actual_path[i] == '/')
       actual_path[i] = '\\';
+    else if(!actual_path[i]) /* binary zero */
+      return CURLE_URL_MALFORMAT;

   fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
   file->path = actual_path;
 #else
+  if(memchr(real_path, 0, real_path_len))
+    /* binary zeroes indicate foul play */
+    return CURLE_URL_MALFORMAT;
+
   fd = open_readonly(real_path, O_RDONLY);
   file->path = real_path;
 #endif
   file->freepath = real_path; /* free this when done */

--
2.1.1
	From 1f648221a2f9b7fba621ad53a54117e92a393bd3 Mon Sep 17 00:00:00 2001
	From: Daniel Stenberg <daniel@haxx.se>
	Date: Thu, 25 Sep 2014 13:44:24 +0200
	Subject: [PATCH] file: reject paths using embedded %00

	Mostly because we use C strings and they end at a binary zero so we know
	we can't open a file name using an embedded binary zero.

	Reported-by: Pierre Joye
	---
	lib/file.c \| 12 ++++++++++--
	1 file changed, 10 insertions(+), 2 deletions(-)

	diff --git a/lib/file.c b/lib/file.c
	index 73df42e..230f1c2 100644
	--- a/lib/file.c
	+++ b/lib/file.c
	@@ -194,12 +194,13 @@ static CURLcode file_connect(struct connectdata conn, bool done)
	int fd;
	#ifdef DOS_FILESYSTEM
	int i;
	char *actual_path;
	#endif
	+ int real_path_len;

	- real_path = curl_easy_unescape(data, data->state.path, 0, NULL);
	+ real_path = curl_easy_unescape(data, data->state.path, 0, &real_path_len);
	if(!real_path)
	return CURLE_OUT_OF_MEMORY;

	#ifdef DOS_FILESYSTEM
	/* If the first character is a slash, and there's
	@@ -220,20 +221,27 @@ static CURLcode file_connect(struct connectdata conn, bool done)
	if((actual_path[0] == '/') &&
	actual_path[1] &&
	(actual_path[2] == ':' \|\| actual_path[2] == '\|')) {
	actual_path[2] = ':';
	actual_path++;
	+ real_path_len--;
	}

	/* change path separators from '/' to '\\' for DOS, Windows and OS/2 */
	- for(i=0; actual_path[i] != '\0'; ++i)
	+ for(i=0; i < real_path_len; ++i)
	if(actual_path[i] == '/')
	actual_path[i] = '\\';
	+ else if(!actual_path[i]) /* binary zero */
	+ return CURLE_URL_MALFORMAT;

	fd = open_readonly(actual_path, O_RDONLY\|O_BINARY);
	file->path = actual_path;
	#else
	+ if(memchr(real_path, 0, real_path_len))
	+ /* binary zeroes indicate foul play */
	+ return CURLE_URL_MALFORMAT;
	+
	fd = open_readonly(real_path, O_RDONLY);
	file->path = real_path;
	#endif
	file->freepath = real_path; /* free this when done */

	--
	2.1.1