urlglob: better detect unclosed braces, empty lists and overflows

A rather big overhaul and cleanup.

1 - curl wouldn't properly detect and reject globbing that ended with an
open brace if there were brackets or braces before it. Like "{}{" or
"[0-1]{"

2 - curl wouldn't properly reject empty lists so that "{}{}" would
result in curl getting (nil) strings in the output.

3 - By using strtoul() instead of sscanf() the code will now detected
over and underflows. It now also better parses the step argument to only
accept positive numbers and only step counters that is smaller than the
delta between the maximum and minimum numbers.

4 - By switching to unsigned longs instead of signed ints for the
counters, the max values for []-ranges are now very large (on 64bit
machines).

5 - Bumped the maximum number of globs in a single URL to 100 (from 10)

6 - Simplified the code somewhat and now it stores fixed strings as
single- entry lists. That's also one of the reasons why I did (5) as now
all strings between "globs" will take a slot in the array.

Added test 1234 and 1235 to verify. Updated test 87.

This commit fixes three separate bug reports.

Bug: http://curl.haxx.se/bug/view.cgi?id=1264
Bug: http://curl.haxx.se/bug/view.cgi?id=1265
Bug: http://curl.haxx.se/bug/view.cgi?id=1266
Reported-by: Will Dietz

4 files changed, 156 insertions, 8 deletions

diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index 0d5c29d88..f661b7103 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -93,7 +93,7 @@ test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \
 test1208 test1209 test1210 test1211 test1212 test1213 test1214 test1215 \
 test1216 test1217 test1218 test1219 \
 test1220 test1221 test1222 test1223 test1224 test1225 test1226 test1227 \
-test1228 test1229 test1230 test1231 test1232 test1233 \
+test1228 test1229 test1230 test1231 test1232 test1233 test1234 test1235 \
 \
 test1300 test1301 test1302 test1303 test1304 test1305 test1306 test1307 \
 test1308 test1309 test1310 test1311 test1312 test1313 test1314 test1315 \
diff --git a/tests/data/test1234 b/tests/data/test1234
new file mode 100644
index 000000000..9d7a79fc4
--- /dev/null
+++ b/tests/data/test1234
@@ -0,0 +1,32 @@
+<testcase>
+<info>
+<keywords>
+{} list
+FAILURE
+</keywords>
+</info>
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+none
+</server>
+ <name>
+abusing {}-globbing
+ </name>
+ <command>
+"%HOSTIP:%HTTPPORT/1234[0-1]{" "%HOSTIP:%HTTPPORT/{}{}{}{"
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# 3 == CURLE_URL_MALFORMAT
+<errorcode>
+3
+</errorcode>
+</verify>
+</testcase>
diff --git a/tests/data/test1235 b/tests/data/test1235
new file mode 100644
index 000000000..6c2a6a966
--- /dev/null
+++ b/tests/data/test1235
@@ -0,0 +1,94 @@
+<testcase>
+<info>
+<keywords>
+HTTP
+HTTP GET
+{} list
+</keywords>
+</info>
+# Server-side
+<reply>
+<data1>
+HTTP/1.1 200 OK

+Funny-head: yesyes

+Content-Length: 15

+

+the number one
+</data1>
+<data2>
+HTTP/1.1 200 OK

+Funny-head: yesyes

+Content-Length: 16

+

+two is nice too
+</data2>
+</reply>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+ <name>
+multiple requests using {}{} in the URL
+ </name>
+ <command>
+"%HOSTIP:%HTTPPORT/{1235,1235}{0001,0002}"
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<strip>
+^User-Agent:.*
+</strip>
+<protocol>
+GET /12350001 HTTP/1.1

+User-Agent: curl/7.8.1-pre3 (sparc-sun-solaris2.7) libcurl 7.8.1-pre3 (OpenSSL 0.9.6a) (krb4 enabled)

+Host: %HOSTIP:%HTTPPORT

+Accept: */*

+

+GET /12350002 HTTP/1.1

+User-Agent: curl/7.8.1-pre3 (sparc-sun-solaris2.7) libcurl 7.8.1-pre3 (OpenSSL 0.9.6a) (krb4 enabled)

+Host: %HOSTIP:%HTTPPORT

+Accept: */*

+

+GET /12350001 HTTP/1.1

+User-Agent: curl/7.8.1-pre3 (sparc-sun-solaris2.7) libcurl 7.8.1-pre3 (OpenSSL 0.9.6a) (krb4 enabled)

+Host: %HOSTIP:%HTTPPORT

+Accept: */*

+

+GET /12350002 HTTP/1.1

+User-Agent: curl/7.8.1-pre3 (sparc-sun-solaris2.7) libcurl 7.8.1-pre3 (OpenSSL 0.9.6a) (krb4 enabled)

+Host: %HOSTIP:%HTTPPORT

+Accept: */*

+

+</protocol>
+<stdout>
+--_curl_--%HOSTIP:%HTTPPORT/12350001
+HTTP/1.1 200 OK

+Funny-head: yesyes

+Content-Length: 15

+

+the number one
+--_curl_--%HOSTIP:%HTTPPORT/12350002
+HTTP/1.1 200 OK

+Funny-head: yesyes

+Content-Length: 16

+

+two is nice too
+--_curl_--%HOSTIP:%HTTPPORT/12350001
+HTTP/1.1 200 OK

+Funny-head: yesyes

+Content-Length: 15

+

+the number one
+--_curl_--%HOSTIP:%HTTPPORT/12350002
+HTTP/1.1 200 OK

+Funny-head: yesyes

+Content-Length: 16

+

+two is nice too
+</stdout>
+</verify>
+</testcase>
diff --git a/tests/data/test87 b/tests/data/test87
index 40b274b2e..4e436791e 100644
--- a/tests/data/test87
+++ b/tests/data/test87
@@ -8,29 +8,51 @@ FAILURE
 #
 # Server-side
 <reply>
+<data1>
+HTTP/1.1 200 OK

+Funny-head: yesyes

+Content-Length: 15

+

+the number one
+</data1>
+<data2>
+HTTP/1.1 200 OK

+Funny-head: yesyes

+Content-Length: 16

+

+two is nice too
+</data2>
+
 </reply>
 #
 # Client-side
 <client>
 <server>
-none
+http
 </server>
 <features>
 http
 </features>
  <name>
-urlglob with bad -o #[num] usage
+urlglob with out of range -o #[num] usage
  </name>
  <command option="no-output">
-"http://%HOSTIP:%HTTPPORT/[870001-870003]" -o "log/dumpit#2.dump"
+"http://%HOSTIP:%HTTPPORT/[870001-870002]" -o "log/dumpit#2.dump"
 </command>
 </client>
 
 #
-# Verify data after the test has been "shot"
+# Verify data after the test has been "shot". Note that the command line
+# will write both responses into the same file name so only the second
+# survives
+#
 <verify>
-<errorcode>
-2
-</errorcode>
+<file name="log/dumpit#2.dump" [mode="text"]>
+HTTP/1.1 200 OK

+Funny-head: yesyes

+Content-Length: 16

+

+two is nice too
+</file>
 </verify>
 </testcase>