Unverified Commit 404c8850 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

curl_fnmatch: only allow two asterisks for matching 

The previous limit of 5 can still end up in situation that takes a very
long time and consumes a lot of CPU.

If there is still a rare use case for this, a user can provide their own
fnmatch callback for a version that allows a larger set of wildcards.

This commit was triggered by yet another OSS-Fuzz timeout due to this.
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8369

Closes #2587
parent 27aebcc1

docs/libcurl/opts/CURLOPT_WILDCARDMATCH.3

+2 −2
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 
.\" *                            | (__| |_| |  _ <| |___

.\" *                             \___|\___/|_| \_\_____|

.\" *

.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.

.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.

.\" *

.\" * This software is licensed as described in the file COPYING, which

.\" * you should have received as part of this distribution. The terms
@@ -41,7 +41,7 @@ A brief introduction of its syntax follows: 
.RS

.IP "* - ASTERISK"

\&ftp://example.com/some/path/\fB*.txt\fP (for all txt's from the root

directory)

directory). Only two asterisks are allowed within the same pattern string.

.RE

.RS

.IP "? - QUESTION MARK"

lib/curl_fnmatch.c

+1 −1
Original line number Diff line number Diff line
@@ -355,5 +355,5 @@ int Curl_fnmatch(void *ptr, const char *pattern, const char *string) 
  if(!pattern || !string) {

    return CURL_FNMATCH_FAIL;

  }

  return loop((unsigned char *)pattern, (unsigned char *)string, 5);

  return loop((unsigned char *)pattern, (unsigned char *)string, 2);

}

tests/unit/unit1307.c

+0 −4
Original line number Diff line number Diff line
@@ -185,11 +185,7 @@ static const struct testcase tests[] = { 
  { "\\?.txt",                  "x.txt",                  NOMATCH },

  { "\\*.txt",                  "x.txt",                  NOMATCH },

  { "\\*\\\\.txt",              "*\\.txt",                MATCH },

  { "*\\**\\?*\\\\*",           "cc*cc?cc\\cc*cc",        MATCH },

  { "*\\**\\?*\\\\*",           "cc*cc?cccc",             NOMATCH },

  { "*\\**\\?*\\\\*",           "cc*cc?cc\\cc*cc",        MATCH },

  { "*\\?*\\**",                "cc?c*c",                 MATCH },

  { "*\\?*\\**curl*",           "cc?c*curl",              MATCH },

  { "*\\?*\\**",                "cc?cc",                  NOMATCH },

  { "\\\"\\$\\&\\'\\(\\)",      "\"$&'()",                MATCH },

  { "\\*\\?\\[\\\\\\`\\|",      "*?[\\`|",                MATCH },