Mailing Lists
|
|
cURL Mailing List Monthly Index Single Mail
curl-tracker Archives
[curl:bugs] #1264 Glob parsing bug leads to strange behavior, corruption, DoS (segfault)
From: Will Dietz <wdtz_at_users.sf.net>
Date: Thu, 15 Aug 2013 00:13:20 +0000
Similar to previously-fixed bug: http://sourceforge.net/p/curl/bugs/1129/
--- ** [bugs:#1264] Glob parsing bug leads to strange behavior, corruption, DoS (segfault)** **Status:** open **Created:** Thu Aug 15, 2013 12:11 AM UTC by Will Dietz **Last Updated:** Thu Aug 15, 2013 12:11 AM UTC **Owner:** nobody Description =========== Overview -------- The glob_range() function in tool_urlglob.c fails to handle errors from subsquent glob parsing which allows crafted URLs to cause a variety of undesirable behavior including corruption and DoS (crash). Details ------- The relevant code is at tool_urlglob.c:272: ~~~~ :::c res = glob_word(glob, c, pos + (c - pattern), &wordamount); if(res == GLOB_ERROR) { wordamount = 1; res = GLOB_OK; } ~~~~ As shown above, the code ignores errors returned from attempts to parse out globs in the remainder of the URL. This means that malformed glob patterns following a range pattern will have the resulting parse error ignored and attempt to use incomplete or invalid 'glob' datastructure when generating candidate URL's. Reproduction: ============= Below are listed example invocations that use this bug to cause undesirable behaviors, which are divided into the faulting glob type: Invalid set glob ---------------- Missing ']' or set glob crosses boundary for too many globs: ~~~~ :::sh $ curl "http://localhost/[a-b]{" $ curl "http://localhost/[a-b]{}{}{}{}{}{}{}{}{}" ~~~~ Results in crash or attempt to access URL's with sprintf'd NULL's present, as in the following: ~~~~ :::sh $ curl "http://localhost/[a-b]{}{}{}{}{" [1/2]: http://localhost/a(nil)(nil)(nil --> <stdout> --_curl_--http://localhost/a(nil)(nil)(nil curl: (7) Failed connect to localhost:80; Connection refused [2/2]: http://localhost/a(nil)(nil)(nil --> <stdout> --_curl_--http://localhost/a(nil)(nil)(nil curl: (7) Failed connect to localhost:80; Connection refused ~~~~ Invalid range glob ------------------ Missing '}' or range glob crosses boundary for too many globs: ~~~~ :::sh $ curl "http://localhost/[a-b][" $ curl "http://localhost/[a-b]{}{}{}{}{}{}{}{}[a-b]" ~~~~ Gives the following output: ~~~~ :::sh internal error: invalid pattern type (0) curl: (2) Failed initialization ~~~~ Impact ====== Programs using curl with globbing enabled may be crashable or worse if the user can control the URL given. Note that since libcurl does not contain the globbing logic (AFAIK) this is only an issue for the command-line curl and applications which use exec() to invoke it. The above inputs cause bad behavior in versions of curl including 7.19.7, 7.31.0, 7.32.0, and the latest git (d5e2d0b). --- Sent from sourceforge.net because curl-tracker@cool.haxx.se is subscribed to https://sourceforge.net/p/curl/bugs/ To unsubscribe from further messages, a project admin can change settings at https://sourceforge.net/p/curl/admin/bugs/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.Received on 2013-08-15 These mail archives are generated by hypermail. |
Page updated May 06, 2013.
web site info