Commit 5d7952f5 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

url: fix buffer overwrite with file protocol (CVE-2017-9502) 

Bug: https://github.com/curl/curl/issues/1540
Advisory: https://curl.haxx.se/docs/adv_20170614.html

Assisted-by: Ray Satiro
Reported-by: Marcel Raad
parent 5fa028e5

lib/url.c

+22 −5
Original line number Diff line number Diff line
@@ -4466,6 +4466,7 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, 
#endif



    protop = "file"; /* protocol string */

    *prot_missing = !url_has_scheme;

  }

  else {

    /* clear path */
@@ -4629,14 +4630,30 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data, 


    size_t plen = strlen(path); /* new path, should be 1 byte longer than

                                   the original */

    size_t urllen = strlen(data->change.url); /* original URL length */



    size_t prefixlen = strlen(conn->host.name);



    if(!*prot_missing)

      prefixlen += strlen(protop) + strlen("://");

    if(!*prot_missing) {

      size_t protolen = strlen(protop);



      if(curl_strnequal(protop, data->change.url, protolen))

        prefixlen += protolen;

      else {

        failf(data, "<url> malformed");

        return CURLE_URL_MALFORMAT;

      }



      if(curl_strnequal("://", &data->change.url[protolen], 3))

        prefixlen += 3;

      /* only file: is allowed to omit one or both slashes */

      else if(curl_strnequal("file:", data->change.url, 5))

        prefixlen += 1 + (data->change.url[5] == '/');

      else {

        failf(data, "<url> malformed");

        return CURLE_URL_MALFORMAT;

      }

    }



    reurl = malloc(urllen + 2); /* 2 for zerobyte + slash */

    reurl = malloc(prefixlen + plen + 1);

    if(!reurl)

      return CURLE_OUT_OF_MEMORY;