cURL / Mailing Lists / curl-library / Single Mail

curl-library

curl_easy_escape() easily misused?

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Sat, 8 Oct 2016 11:59:32 +0200 (CEST)

Hey,

We got this note on the API for curl_easy_escape() from someone and I figured
I'd bring this here for discussion.

Read it and think. It basically points out how the current API could easily be
misused and possibly already is by some applications, and offers some thoughts
on what we could or should do about it.

I'm a bit undecided myself. What do you think?

--- snip ---

curl_easy_escape() (and a deprecated variant curl_escape()) accept both a
buffer and a length as arguments. As a convenience feature, if the length is
0, it is assumed that the buffer contains text and strlen() is called on the
buffer instead.

However, this means that a caller intending to supply a binary buffer and
failing to explicitly check whether the buffer has a size equaling zero might
in fact cause an out-of-bounds read. If this happens, it is also likely to
translate into disclosure of the read data to an HTTP server. A cursory
inspection of some code that uses curl_easy_escape() with a length argument
shows that most cURL users fail to explicitly check for length zero. However,
because the buffer normally contains a C string anyway, this shortcoming does
not have much impact in practice.

Although curl_easy_escape() can be used safely, it is recommended to deprecate
curl_easy_escape() and either create two new functions for binary and text
data or, alternatively, introduce a new function that takes advantage of the
maximum size_t value instead of 0 as the special "use strlen()" argument.

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html
Received on 2016-10-08