cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Bad data in (FTP) URLs

From: Stephan Bergmann <Stephan.Bergmann_at_sun.com>
Date: Wed, 19 Jan 2005 17:12:27 +0100

Stephan Bergmann wrote:
> Hi all,
>
> Messing around with the FTP part of curl 7.12.2, as used in
> OpenOffice.org 2.0, I found the following two problems:
>
> 1 FTP URLs passed to curl may contain CR (0x0D) and LF (0x0A) in the
> RFC 1738 <user>, <password>, and <fpath> components, either encoded as
> "%0D" etc., or---in slightly illegal URLs---directly and unencoded.
> These two characters are not allowd within RFC 959 <string>, for good
> reason: <ftp://host/foo%0D%0Abar/...> leads to sending the two command
> sequence
>
> CWD foo
> bar
>
> to the server, which will complain about the "bar" garbage. A
> quick-and-dirty patch to ftp.c 1.274 is attached.

...and now with attachment...

> 2 FTP URLs passed to curl may contain NUL (0x00) in the RFC 1738
> <user>, <password>, and <fpath> components, encoded as "%00". The
> problem is that curl_unescape does not detect this, but instead returns
> a shortened C string. From a strict FTP protocol standpoint, NUL is a
> valid character within RFC 959 <string>, so the way to handle this
> correctly in curl would be to use a data structure other than a plain C
> string, one that can handle embedded NUL characters. From a practical
> standpoint, most FTP servers would not meaningfully support NUL
> characters within RFC 959 <string>, anyway (e.g., UNIX pathnames may not
> contain NUL), so that a practical solution might be to add a check for
> "%00" to curl_unescape and change the interface of that function, so
> that it can report back on any "bad" input.
>
> Note that both problems may probably hit curl for protocols other than
> FTP, too.
>
> -Stephan
>
> (NB: Danile, re the recent "CURLOPT_PROXY and --disable-http" thread:
         ^^^^^^
Oops, that should read Daniel, of course.

> Yes, url.c 1.440 makes me happy. Thanks a lot.)

*** ftp.c 2005-01-19 16:34:28.677131530 +0100
--- ftp.c.org 2004-10-18 00:21:02.000000000 +0200
***************
*** 149,162 ****
    }
  }

- /* Returns non-zero iff the given string contains CR (0x0D) or LF (0x0A), which
- are not allowed within RFC 959 <string>.
- */
- static int isBadFtpString(const char *string)
- {
- return strchr(string, 0x0D) != NULL || strchr(string, 0x0A) != NULL;
- }
-
  /***********************************************************************
   *
   * AllowServerConnect()
--- 149,154 ----
***************
*** 500,508 ****
    /* no need to duplicate them, this connectdata struct won't change */
    ftp->user = conn->user;
    ftp->passwd = conn->passwd;
- if (isBadFtpString(ftp->user) || isBadFtpString(ftp->passwd)) {
- return CURLE_URL_MALFORMAT;
- }
    ftp->response_time = 3600; /* set default response time-out */

  #ifndef CURL_DISABLE_HTTP
--- 492,497 ----
***************
*** 2692,2701 ****
          freedirs(ftp);
          return CURLE_OUT_OF_MEMORY;
        }
- if (isBadFtpString(ftp->dirs[ftp->dirdepth])) {
- freedirs(ftp);
- return CURLE_URL_MALFORMAT;
- }
      }
      else {
        cur_pos = slash_pos + 1; /* jump to the rest of the string */
--- 2681,2686 ----
***************
*** 2727,2736 ****
        failf(data, "no memory");
        return CURLE_OUT_OF_MEMORY;
      }
- if (isBadFtpString(ftp->file)) {
- freedirs(ftp);
- return CURLE_URL_MALFORMAT;
- }
    }
    else
      ftp->file=NULL; /* instead of point to a zero byte, we make it a NULL
--- 2712,2717 ----
Received on 2005-01-19