From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 31 Jan 2018 08:40:11 +0100
Subject: [PATCH] FTP: reject path components with control codes

Refuse to operate when given path components featuring byte values lower
than 32.

Previously, inserting a %00 sequence early in the directory part when
using the 'singlecwd' ftp method could make curl write a zero byte
outside of the allocated buffer.

Test case 340 verifies.

CVE-2018-1000120
Reported-by: Duy Phan Thanh
Bug: https://curl.se/docs/adv_2018-9cd6.html
---
 lib/ftp.c               |  8 ++++----
 tests/data/Makefile.inc |  3 +++
 tests/data/test340      | 40 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 4 deletions(-)
 create mode 100644 tests/data/test340

diff --git a/lib/ftp.c b/lib/ftp.c
index fec591918..e2cc38b62 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -1472,11 +1472,11 @@ static CURLcode ftp_state_list(struct connectdata *conn)
     if(inpath[n - 1] != '/') {
       /* chop off the file part if format is dir/dir/file */
       slashPos = strrchr(inpath, '/');
       n = slashPos - inpath;
     }
-    result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE);
+    result = Curl_urldecode(data, inpath, n, &lstArg, NULL, TRUE);
     if(result)
       return result;
   }
 
   cmd = aprintf("%s%s%s",
@@ -3192,11 +3192,11 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
     ftpc->known_filesize = -1;
   }
 
   if(!result)
     /* get the "raw" path */
-    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
+    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
   if(result) {
     /* We can limp along anyway (and should try to since we may already be in
      * the error path) */
     ftpc->ctl_valid = FALSE; /* mark control connection as bad */
     connclose(conn, "FTP: out of memory!"); /* mark for connection closure */
@@ -4153,11 +4153,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
         dirlen++;
 
       result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
                               slash_pos ? dirlen : 1,
                               &ftpc->dirs[0], NULL,
-                              FALSE);
+                              TRUE);
       if(result) {
         freedirs(ftpc);
         return result;
       }
       ftpc->dirdepth = 1; /* we consider it to be a single dir */
@@ -4260,11 +4260,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
     /* prevpath is "raw" so we convert the input path before we compare the
        strings */
     size_t dlen;
     char *path;
     CURLcode result =
-      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
+      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
     if(result) {
       freedirs(ftpc);
       return result;
     }
 
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
index 7a989867d..97daf00ce 100644
--- a/tests/data/Makefile.inc
+++ b/tests/data/Makefile.inc
@@ -55,10 +55,13 @@ test280 test281 test282 test283 test284 test285 test286 test287 test288 \
 test289 test290 test291 test292 test293 test294 test295 test296 test297 \
 test298 test299 test300 test301 test302 test303 test304 test305 test306 \
 test307 test308 test309 test310 test311 test312 test313 test314 test315 \
 test316 test317 test318 test319 test320 test321 test322 test323 test324 \
 test325 test326 \
+\
+test340 \
+\
 test350 test351 test352 test353 test354 \
 test393 test394 test395 \
 \
 test400 test401 test402 test403 test404 test405 test406 test407 test408 \
 test409 \
diff --git a/tests/data/test340 b/tests/data/test340
new file mode 100644
index 000000000..d834d767c
--- /dev/null
+++ b/tests/data/test340
@@ -0,0 +1,40 @@
+<testcase>
+<info>
+<keywords>
+FTP
+PASV
+CWD
+--ftp-method
+singlecwd
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+ <name>
+FTP using %00 in path with singlecwd
+ </name>
+ <command>
+--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+USER anonymous
+PASS ftp@example.com
+PWD
+</protocol>
+<errorcode>
+3
+</errorcode>
+</verify>
+</testcase>
-- 
2.16.1

