curl-library
Re: curl_easy_escape() easily misused?
Date: Sat, 8 Oct 2016 15:09:05 -0400
On 10/8/2016 5:59 AM, Daniel Stenberg wrote:
>
> However, this means that a caller intending to supply a binary buffer
> and failing to explicitly check whether the buffer has a size equaling
> zero might in fact cause an out-of-bounds read. If this happens, it is
> also likely to translate into disclosure of the read data to an HTTP
> server. A cursory inspection of some code that uses curl_easy_escape()
> with a length argument shows that most cURL users fail to explicitly
> check for length zero. However, because the buffer normally contains a
> C string anyway, this shortcoming does not have much impact in practice.
It says clearly "If length is set to 0 (zero), curl_easy_escape uses
strlen() on the input string to find out the size." The burden is on the
caller to check, and I really don't think it's that big of one. I don't
see any harm in adding inline helpers like curl_easy_escape_string and
curl_easy_escape_binary, either.
inline
char *curl_easy_escape_string(CURL *curl, const char *string)
{
return curl_easy_escape(curl, string, 0);
}
inline
char *curl_easy_escape_binary(CURL *curl, const char *binary, size_t size)
{
if(!size)
return (char *)calloc(1, 1);
else if(size < (unsigned)(INT_MAX))
return curl_easy_escape(curl, binary, (int)size);
else
return NULL;
}
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-10-08