diff options
author | Daniel Stenberg <daniel@haxx.se> | 2020-10-01 23:37:30 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2020-10-01 23:37:30 +0200 |
commit | 9618e3164c33afdfe193771601445d7c71ab6f71 (patch) | |
tree | 65bb148462bfb5a67b945eb6aaabd6f05b158c05 /src | |
parent | da00d983b2933d81594ec12a7a10ff9fe5c83bfc (diff) | |
download | curl-9618e3164c33afdfe193771601445d7c71ab6f71.tar.gz |
fixup postfields use curl_off_t, and cap overly long string outputs
Diffstat (limited to 'src')
-rw-r--r-- | src/tool_setopt.c | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/src/tool_setopt.c b/src/tool_setopt.c index 0cf1a1da6..19d22c9ce 100644 --- a/src/tool_setopt.c +++ b/src/tool_setopt.c @@ -219,21 +219,26 @@ static const struct NameValue setopt_nv_CURLNONZERODEFAULTS[] = { /* Escape string to C string syntax. Return NULL if out of memory. * Is this correct for those wacky EBCDIC guys? */ -static char *c_escape(const char *str, size_t len) + +#define MAX_STRING_LENGTH_OUTPUT 2000 +#define ZERO_TERMINATED -1 + +static char *c_escape(const char *str, curl_off_t len) { const char *s; unsigned char c; char *escaped, *e; + bool cutoff = FALSE; - if(len == CURL_ZERO_TERMINATED) + if(len == ZERO_TERMINATED) len = strlen(str); - /* Check for possible overflow. */ - if(len > (~(size_t) 0) / 4) - return NULL; + if(len > MAX_STRING_LENGTH_OUTPUT) + /* cap ridiculously long strings */ + len = MAX_STRING_LENGTH_OUTPUT; /* Allocate space based on worst-case */ - escaped = malloc(4 * len + 1); + escaped = malloc(4 * len + 1 + cutoff * 3); if(!escaped) return NULL; @@ -267,6 +272,11 @@ static char *c_escape(const char *str, size_t len) else *e++ = c; } + if(cutoff) { + *e++ = '.'; + *e++ = '.'; + *e++ = '.'; + } *e = '\0'; return escaped; } @@ -405,7 +415,7 @@ static CURLcode libcurl_generate_slist(struct curl_slist *slist, int *slistno) CLEAN1("slist%d = NULL;", *slistno); for(; slist; slist = slist->next) { Curl_safefree(escaped); - escaped = c_escape(slist->data, CURL_ZERO_TERMINATED); + escaped = c_escape(slist->data, ZERO_TERMINATED); if(!escaped) return CURLE_OUT_OF_MEMORY; DATA3("slist%d = curl_slist_append(slist%d, \"%s\");", @@ -456,7 +466,7 @@ static CURLcode libcurl_generate_mime_part(CURL *curl, case TOOLMIME_DATA: #ifdef CURL_DOES_CONVERSIONS /* Data will be set in ASCII, thus issue a comment with clear text. */ - escaped = c_escape(part->data, CURL_ZERO_TERMINATED); + escaped = c_escape(part->data, ZERO_TERMINATED); NULL_CHECK(escaped); CODE1("/* \"%s\" */", escaped); @@ -475,7 +485,7 @@ static CURLcode libcurl_generate_mime_part(CURL *curl, #endif if(!ret) { Curl_safefree(escaped); - escaped = c_escape(data, CURL_ZERO_TERMINATED); + escaped = c_escape(data, ZERO_TERMINATED); NULL_CHECK(escaped); CODE2("curl_mime_data(part%d, \"%s\", CURL_ZERO_TERMINATED);", mimeno, escaped); @@ -484,7 +494,7 @@ static CURLcode libcurl_generate_mime_part(CURL *curl, case TOOLMIME_FILE: case TOOLMIME_FILEDATA: - escaped = c_escape(part->data, CURL_ZERO_TERMINATED); + escaped = c_escape(part->data, ZERO_TERMINATED); NULL_CHECK(escaped); CODE2("curl_mime_filedata(part%d, \"%s\");", mimeno, escaped); if(part->kind == TOOLMIME_FILEDATA && !filename) { @@ -509,28 +519,28 @@ static CURLcode libcurl_generate_mime_part(CURL *curl, if(!ret && part->encoder) { Curl_safefree(escaped); - escaped = c_escape(part->encoder, CURL_ZERO_TERMINATED); + escaped = c_escape(part->encoder, ZERO_TERMINATED); NULL_CHECK(escaped); CODE2("curl_mime_encoder(part%d, \"%s\");", mimeno, escaped); } if(!ret && filename) { Curl_safefree(escaped); - escaped = c_escape(filename, CURL_ZERO_TERMINATED); + escaped = c_escape(filename, ZERO_TERMINATED); NULL_CHECK(escaped); CODE2("curl_mime_filename(part%d, \"%s\");", mimeno, escaped); } if(!ret && part->name) { Curl_safefree(escaped); - escaped = c_escape(part->name, CURL_ZERO_TERMINATED); + escaped = c_escape(part->name, ZERO_TERMINATED); NULL_CHECK(escaped); CODE2("curl_mime_name(part%d, \"%s\");", mimeno, escaped); } if(!ret && part->type) { Curl_safefree(escaped); - escaped = c_escape(part->type, CURL_ZERO_TERMINATED); + escaped = c_escape(part->type, ZERO_TERMINATED); NULL_CHECK(escaped); CODE2("curl_mime_type(part%d, \"%s\");", mimeno, escaped); } @@ -720,7 +730,7 @@ CURLcode tool_setopt(CURL *curl, bool str, struct GlobalConfig *global, REM2("%s set to a %s", name, value); else { if(escape) { - size_t len = CURL_ZERO_TERMINATED; + curl_off_t len = ZERO_TERMINATED; if(tag == CURLOPT_POSTFIELDS) len = config->postfieldsize; escaped = c_escape(value, len); |