From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 31 Jan 2018 08:40:11 +0100 Subject: [PATCH] FTP: reject path components with control codes Refuse to operate when given path components featuring byte values lower than 32. Previously, inserting a %00 sequence early in the directory part when using the 'singlecwd' ftp method could make curl write a zero byte outside of the allocated buffer. Test case 340 verifies. CVE-2018-1000120 Reported-by: Duy Phan Thanh Bug: https://curl.se/docs/adv_2018-9cd6.html --- lib/ftp.c | 8 ++++---- tests/data/Makefile.inc | 3 +++ tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 tests/data/test340 diff --git a/lib/ftp.c b/lib/ftp.c index fec591918..e2cc38b62 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -1472,11 +1472,11 @@ static CURLcode ftp_state_list(struct connectdata *conn) if(inpath[n - 1] != '/') { /* chop off the file part if format is dir/dir/file */ slashPos = strrchr(inpath, '/'); n = slashPos - inpath; } - result = Curl_urldecode(data, inpath, n, &lstArg, NULL, FALSE); + result = Curl_urldecode(data, inpath, n, &lstArg, NULL, TRUE); if(result) return result; } cmd = aprintf("%s%s%s", @@ -3192,11 +3192,11 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, ftpc->known_filesize = -1; } if(!result) /* get the "raw" path */ - result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); + result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); if(result) { /* We can limp along anyway (and should try to since we may already be in * the error path) */ ftpc->ctl_valid = FALSE; /* mark control connection as bad */ connclose(conn, "FTP: out of memory!"); /* mark for connection closure */ @@ -4153,11 +4153,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) dirlen++; result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", slash_pos ? dirlen : 1, &ftpc->dirs[0], NULL, - FALSE); + TRUE); if(result) { freedirs(ftpc); return result; } ftpc->dirdepth = 1; /* we consider it to be a single dir */ @@ -4260,11 +4260,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) /* prevpath is "raw" so we convert the input path before we compare the strings */ size_t dlen; char *path; CURLcode result = - Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); + Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); if(result) { freedirs(ftpc); return result; } diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc index 7a989867d..97daf00ce 100644 --- a/tests/data/Makefile.inc +++ b/tests/data/Makefile.inc @@ -55,10 +55,13 @@ test280 test281 test282 test283 test284 test285 test286 test287 test288 \ test289 test290 test291 test292 test293 test294 test295 test296 test297 \ test298 test299 test300 test301 test302 test303 test304 test305 test306 \ test307 test308 test309 test310 test311 test312 test313 test314 test315 \ test316 test317 test318 test319 test320 test321 test322 test323 test324 \ test325 test326 \ +\ +test340 \ +\ test350 test351 test352 test353 test354 \ test393 test394 test395 \ \ test400 test401 test402 test403 test404 test405 test406 test407 test408 \ test409 \ diff --git a/tests/data/test340 b/tests/data/test340 new file mode 100644 index 000000000..d834d767c --- /dev/null +++ b/tests/data/test340 @@ -0,0 +1,40 @@ + + + +FTP +PASV +CWD +--ftp-method +singlecwd + + +# +# Server-side + + + +# Client-side + + +ftp + + +FTP using %00 in path with singlecwd + + +--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340 + + + +# Verify data after the test has been "shot" + + +USER anonymous +PASS ftp@example.com +PWD + + +3 + + + -- 2.16.1