diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2018-01-31 08:40:11 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2018-03-12 07:47:07 +0100 |
| commit | 535432c0adb62fe167ec09621500470b6fa4eb0f (patch) | |
| tree | 1f57399b99b215172fe58c051f9bf4180beace05 /lib/ftp.c | |
| parent | d52dc4760f6d9ca1937eefa2093058a952465128 (diff) | |
| download | curl-535432c0adb62fe167ec09621500470b6fa4eb0f.tar.gz | |
FTP: reject path components with control codes
Refuse to operate when given path components featuring byte values lower
than 32.
Previously, inserting a %00 sequence early in the directory part when
using the 'singlecwd' ftp method could make curl write a zero byte
outside of the allocated buffer.
Test case 340 verifies.
CVE-2018-1000120
Reported-by: Duy Phan Thanh
Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
Diffstat (limited to 'lib/ftp.c')
| -rw-r--r-- | lib/ftp.c | 8 |
1 files changed, 4 insertions, 4 deletions
@@ -1474,7 +1474,7 @@ static CURLcode ftp_state_list(struct connectdata *conn) slashPos = strrchr(inpath, '/'); n = slashPos - inpath; } - result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE); + result = Curl_urldecode(data, inpath, n, &lstArg, NULL, TRUE); if(result) return result; } @@ -3194,7 +3194,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, if(!result) /* get the "raw" path */ - result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); + result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); if(result) { /* We can limp along anyway (and should try to since we may already be in * the error path) */ @@ -4155,7 +4155,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", slash_pos ? dirlen : 1, &ftpc->dirs[0], NULL, - FALSE); + TRUE); if(result) { freedirs(ftpc); return result; @@ -4262,7 +4262,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) size_t dlen; char *path; CURLcode result = - Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); + Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); if(result) { freedirs(ftpc); return result; |