curl-library
Flawed dotdot removal from path when using an HTTP proxy
Date: Tue, 23 Jul 2013 12:38:07 +0200
Test 1231 doesn't work when using an external HTTP proxy.
The attached test 1232 reproduces the problem without requiring
an external HTTP proxy:
fk_at_r500 ~/git/curl/tests $./runtests.pl -a -n 1232
********* System characteristics ********
* curl 7.32.0-DEV (amd64-unknown-freebsd10.0)
* libcurl/7.32.0-DEV OpenSSL/1.0.1e zlib/1.2.8 libidn/1.27
* Features: Debug TrackMemory IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
* Host: r500.local
* System: FreeBSD r500.local 10.0-CURRENT FreeBSD 10.0-CURRENT #588 r+065751c: Mon Jul 8 15:08:08 CEST 2013 fk_at_r500.local:/usr/obj/usr/src/sys/ZOEY amd64
* Server SSL: ON libcurl SSL: ON
* debug build: ON track memory: ON
* valgrind: OFF HTTP IPv6 ON
* FTP IPv6 ON Libtool lib: OFF
* Shared build: no
* SSL library: OpenSSL
* Ports:
* HTTP/8990 FTP/8992 FTP2/8995 RTSP/9007 FTPS/8993 HTTPS/8991
* TFTP/8997 HTTP-IPv6/8994 RTSP-IPv6/9008 FTP-IPv6/8996
* GOPHER/9009 GOPHER-IPv6/9009
* SSH/8999 SOCKS/9000 POP3/9001 IMAP/9003 SMTP/9005
* POP3-IPv6/9002 IMAP-IPv6/9004 SMTP-IPv6/9006
* HTTPTLS/9011 HTTPTLS-IPv6/9012
* HTTP-PIPE/9014
*****************************************
test 1232...[HTTP URL with dotdot removal from path using an HTTP proxy]
1232: protocol FAILED:
--- log/check-expected 2013-07-13 14:59:23.777477791 +0200
+++ log/check-generated 2013-07-13 14:59:23.777477791 +0200
@@ -1,9 +1,9 @@
-GET http://test.remote.haxx.se.1232:8990/hej/but/1232?stupid=me/../1232 HTTP/1.1
+GET http://test.remote.haxx.se.1232:8990/../../hej/but/hej/but/1232?stupid=me/../1232 HTTP/1.1
Host: test.remote.haxx.se.1232:8990
Accept: */*
Proxy-Connection: Keep-Alive
-GET http://test.remote.haxx.se.1232:8990/hej/but/12320001 HTTP/1.1
+GET http://test.remote.haxx.se.1232:8990/../../hej/but/who/../12320/hej/but/12320001 HTTP/1.1
Host: test.remote.haxx.se.1232:8990
Accept: */*
Proxy-Connection: Keep-Alive
TESTDONE: 1 tests were considered during 2 seconds.
TESTDONE: 0 tests out of 1 reported OK: 0%
TESTFAIL: These test cases failed: 1232
I also attached a potential fix, but I suspect someone more familiar
with libcurl's internals could come up with a more elegant solution.
Finally there's a trivial comment fix for dotdot.c.
Fabian
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
- application/gzip attachment: dotdot-removal-fix.tar.gz
- application/pgp-signature attachment: signature.asc