diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2019-11-07 10:13:01 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2020-01-06 10:05:37 +0100 |
| commit | 1b71bc532bde8621fd3260843f8197182a467ff2 (patch) | |
| tree | d349f280f458873744dd64bbc41e83314b8fcf8e | |
| parent | aeb32d059bc1e02993e4ca541d510fc8e3fd99bc (diff) | |
| download | curl-1b71bc532bde8621fd3260843f8197182a467ff2.tar.gz | |
file: on Windows, refuse paths that start with \\
... as that might cause an unexpected SMB connection to a given host
name.
Reported-by: Fernando Muñoz
CVE-2019-15601
Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
| -rw-r--r-- | lib/file.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/file.c b/lib/file.c index d349cd924..166931d7f 100644 --- a/lib/file.c +++ b/lib/file.c @@ -136,7 +136,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) struct Curl_easy *data = conn->data; char *real_path; struct FILEPROTO *file = data->req.protop; - int fd; + int fd = -1; #ifdef DOS_FILESYSTEM size_t i; char *actual_path; @@ -181,7 +181,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) return CURLE_URL_MALFORMAT; } - fd = open_readonly(actual_path, O_RDONLY|O_BINARY); + if(strncmp("\\\\", actual_path, 2)) + /* refuse to open path that starts with two backslashes */ + fd = open_readonly(actual_path, O_RDONLY|O_BINARY); file->path = actual_path; #else if(memchr(real_path, 0, real_path_len)) { |