New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix segmentation fault for empty output file names. #8606
Conversation
Function glob_match_url set *result to NULL when called with filename = "", producing an indirect NULL pointer dereference.
Reported-by: iblanes on github Fixes #8606
Reported-by: iblanes on github Fixes #8606
That still makes curl behave weirdly and delay the error. Isn't it better to fail like #8607 ? |
Wow, that was a fast response :-). My reasoning was to make the function to be consistent (get a string => return a string), but you are right that curl's behavior is still inconsistent overall with what happens when an empty string is given as output. I guess that the underlying question is what should curl do when it gets an empty string as output file name. I would argue that it should do the same as the rest of the common command line tools and treat that as the input to
But this creates uninformative error messages... Unfortunately, there are more nuanced behaviors related to this. At some point curls seems to think that an empty output file name is equivalent to the standard output. Here curl seems to think that
Here curl produces the same empty string for one of the subtitutions and reports an empty file (no
If you think that it would be helpful (and it is needed), perhaps I may be able to contribute a patch tackling the whole thing, but I would need some directions on what do you want curl to do in this case (what |
It struck me that my check was also done a bit too late. I think we should consider Then we can probably check for a blank file name (and error out if so) already here: Line 2046 in 563d1f9
|
Thank you for the directions. Here is a new shot at it. This time it is a bit more comprehensive:
I have also followed the output file name from command line to The three previous examples are now fixed:
I have also manually tested it a bit more, finding the following extra corner cases. This one (the error message may be unclear):
is fixed into:
This one (curl tries to resume directory):
is fixed into:
And this one (curl prints a null pointer):
is fixed into:
Let me know if this is in line with what you had in mind. |
Previously it would return a pointer if the buffer previously had contents. This makes the code follow the documentation. Added test case 1614 to verify this behavior. Spotted-by: iblanes Ref: #8606
Thanks! |
On Tue, Mar 22, 2022 at 10:33:12AM -0700, iblanes wrote:
Warning: output file name has no length
This wording seems pretty stilted to me. Something like "output file name is
empty" or "output file name is required" is more straightforward.
$ curl --no-progress-meter 'http://{a,}kernel.org' -o "#1"
Warning: output glob produces empty string!
curl: (23) Failed writing received data to disk/application
Presumably, something like this would not error out:
curl 'http://{a,}kernel.org' -o "#1-file"
|
Curl crashes with segmentation fault when output is an empty string and
--create-dirs
is used.The crash occurs because function
glob_match_url
sets*result
toNULL
when called withfilename = ""
(curlx_dyn_ptr
returnsNULL
for an empty buffer) in functionsingle_transfer
. Hence,per->outfile
is changed from""
toNULL
.Proposed patch ensures that
Curl_dyn_ptr
sets*result
to at least an empty string.