external/curl/CVE-2018-1000120.patch

   1 From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001
   2 From: Daniel Stenberg <daniel@haxx.se>
   3 Date: Wed, 31 Jan 2018 08:40:11 +0100
   4 Subject: [PATCH] FTP: reject path components with control codes
   5
   6 Refuse to operate when given path components featuring byte values lower
   7 than 32.
   8
   9 Previously, inserting a %00 sequence early in the directory part when
  10 using the 'singlecwd' ftp method could make curl write a zero byte
  11 outside of the allocated buffer.
  12
  13 Test case 340 verifies.
  14
  15 CVE-2018-1000120
  16 Reported-by: Duy Phan Thanh
  17 Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
  18 ---
  19  lib/ftp.c               |  8 ++++----
  20  tests/data/Makefile.inc |  3 +++
  21  tests/data/test340      | 40 ++++++++++++++++++++++++++++++++++++++++
  22  3 files changed, 47 insertions(+), 4 deletions(-)
  23  create mode 100644 tests/data/test340
  24
  25 diff --git a/lib/ftp.c b/lib/ftp.c
  26 index fec591918..e2cc38b62 100644
  27 --- a/lib/ftp.c
  28 +++ b/lib/ftp.c
  29 @@ -3192,11 +3192,11 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
  30      ftpc->known_filesize = -1;
  31    }
  32
  33    if(!result)
  34      /* get the "raw" path */
  35 -    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
  36 +    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
  37    if(result) {
  38      /* We can limp along anyway (and should try to since we may already be in
  39       * the error path) */
  40      ftpc->ctl_valid = FALSE; /* mark control connection as bad */
  41      connclose(conn, "FTP: out of memory!"); /* mark for connection closure */
  42 @@ -4153,11 +4153,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
  43          dirlen++;
  44
  45        result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
  46                                slash_pos ? dirlen : 1,
  47                                &ftpc->dirs[0], NULL,
  48 -                              FALSE);
  49 +                              TRUE);
  50        if(result) {
  51          freedirs(ftpc);
  52          return result;
  53        }
  54        ftpc->dirdepth = 1; /* we consider it to be a single dir */
  55 @@ -4260,11 +4260,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
  56      /* prevpath is "raw" so we convert the input path before we compare the
  57         strings */
  58      size_t dlen;
  59      char *path;
  60      CURLcode result =
  61 -      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
  62 +      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
  63      if(result) {
  64        freedirs(ftpc);
  65        return result;
  66      }
  67