Commit 53cbea22 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

file: reject paths using embedded %00 



Mostly because we use C strings and they end at a binary zero so we know
we can't open a file name using an embedded binary zero.

Reported-by: default avatar <research@g0blin.co.uk>
parent 46d71e7f

lib/file.c

+10 −2
Original line number Diff line number Diff line
@@ -196,8 +196,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) 
  int i;

  char *actual_path;

#endif

  int real_path_len;



  real_path = curl_easy_unescape(data, data->state.path, 0, NULL);

  real_path = curl_easy_unescape(data, data->state.path, 0, &real_path_len);

  if(!real_path)

    return CURLE_OUT_OF_MEMORY;
@@ -222,16 +223,23 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) 
     (actual_path[2] == ':' || actual_path[2] == '|')) {

    actual_path[2] = ':';

    actual_path++;

    real_path_len--;

  }



  /* change path separators from '/' to '\\' for DOS, Windows and OS/2 */

  for(i=0; actual_path[i] != '\0'; ++i)

  for(i=0; i < real_path_len; ++i)

    if(actual_path[i] == '/')

      actual_path[i] = '\\';

    else if(!actual_path[i]) /* binary zero */

      return CURLE_URL_MALFORMAT;



  fd = open_readonly(actual_path, O_RDONLY|O_BINARY);

  file->path = actual_path;

#else

  if(memchr(real_path, 0, real_path_len))

    /* binary zeroes indicate foul play */

    return CURLE_URL_MALFORMAT;



  fd = open_readonly(real_path, O_RDONLY);

  file->path = real_path;

#endif