-
-
Save bagder/3b41a03b5feee6a59b0f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 1f648221a2f9b7fba621ad53a54117e92a393bd3 Mon Sep 17 00:00:00 2001 | |
From: Daniel Stenberg <daniel@haxx.se> | |
Date: Thu, 25 Sep 2014 13:44:24 +0200 | |
Subject: [PATCH] file: reject paths using embedded %00 | |
Mostly because we use C strings and they end at a binary zero so we know | |
we can't open a file name using an embedded binary zero. | |
Reported-by: Pierre Joye | |
--- | |
lib/file.c | 12 ++++++++++-- | |
1 file changed, 10 insertions(+), 2 deletions(-) | |
diff --git a/lib/file.c b/lib/file.c | |
index 73df42e..230f1c2 100644 | |
--- a/lib/file.c | |
+++ b/lib/file.c | |
@@ -194,12 +194,13 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) | |
int fd; | |
#ifdef DOS_FILESYSTEM | |
int i; | |
char *actual_path; | |
#endif | |
+ int real_path_len; | |
- real_path = curl_easy_unescape(data, data->state.path, 0, NULL); | |
+ real_path = curl_easy_unescape(data, data->state.path, 0, &real_path_len); | |
if(!real_path) | |
return CURLE_OUT_OF_MEMORY; | |
#ifdef DOS_FILESYSTEM | |
/* If the first character is a slash, and there's | |
@@ -220,20 +221,27 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) | |
if((actual_path[0] == '/') && | |
actual_path[1] && | |
(actual_path[2] == ':' || actual_path[2] == '|')) { | |
actual_path[2] = ':'; | |
actual_path++; | |
+ real_path_len--; | |
} | |
/* change path separators from '/' to '\\' for DOS, Windows and OS/2 */ | |
- for(i=0; actual_path[i] != '\0'; ++i) | |
+ for(i=0; i < real_path_len; ++i) | |
if(actual_path[i] == '/') | |
actual_path[i] = '\\'; | |
+ else if(!actual_path[i]) /* binary zero */ | |
+ return CURLE_URL_MALFORMAT; | |
fd = open_readonly(actual_path, O_RDONLY|O_BINARY); | |
file->path = actual_path; | |
#else | |
+ if(memchr(real_path, 0, real_path_len)) | |
+ /* binary zeroes indicate foul play */ | |
+ return CURLE_URL_MALFORMAT; | |
+ | |
fd = open_readonly(real_path, O_RDONLY); | |
file->path = real_path; | |
#endif | |
file->freepath = real_path; /* free this when done */ | |
-- | |
2.1.1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment