From 1f648221a2f9b7fba621ad53a54117e92a393bd3 Mon Sep 17 00:00:00 2001 | |
From: Daniel Stenberg <daniel@haxx.se> | |
Date: Thu, 25 Sep 2014 13:44:24 +0200 | |
Subject: [PATCH] file: reject paths using embedded %00 | |
Mostly because we use C strings and they end at a binary zero so we know | |
we can't open a file name using an embedded binary zero. | |
Reported-by: Pierre Joye | |
--- | |
lib/file.c | 12 ++++++++++-- | |
1 file changed, 10 insertions(+), 2 deletions(-) | |
diff --git a/lib/file.c b/lib/file.c | |
index 73df42e..230f1c2 100644 | |
--- a/lib/file.c | |
+++ b/lib/file.c | |
@@ -194,12 +194,13 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) | |
int fd; | |
#ifdef DOS_FILESYSTEM | |
int i; | |
char *actual_path; | |
#endif | |
+ int real_path_len; | |
- real_path = curl_easy_unescape(data, data->state.path, 0, NULL); | |
+ real_path = curl_easy_unescape(data, data->state.path, 0, &real_path_len); | |
if(!real_path) | |
return CURLE_OUT_OF_MEMORY; | |
#ifdef DOS_FILESYSTEM | |
/* If the first character is a slash, and there's | |
@@ -220,20 +221,27 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) | |
if((actual_path[0] == '/') && | |
actual_path[1] && | |
(actual_path[2] == ':' || actual_path[2] == '|')) { | |
actual_path[2] = ':'; | |
actual_path++; | |
+ real_path_len--; | |
} | |
/* change path separators from '/' to '\\' for DOS, Windows and OS/2 */ | |
- for(i=0; actual_path[i] != '\0'; ++i) | |
+ for(i=0; i < real_path_len; ++i) | |
if(actual_path[i] == '/') | |
actual_path[i] = '\\'; | |
+ else if(!actual_path[i]) /* binary zero */ | |
+ return CURLE_URL_MALFORMAT; | |
fd = open_readonly(actual_path, O_RDONLY|O_BINARY); | |
file->path = actual_path; | |
#else | |
+ if(memchr(real_path, 0, real_path_len)) | |
+ /* binary zeroes indicate foul play */ | |
+ return CURLE_URL_MALFORMAT; | |
+ | |
fd = open_readonly(real_path, O_RDONLY); | |
file->path = real_path; | |
#endif | |
file->freepath = real_path; /* free this when done */ | |
-- | |
2.1.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment