diff options
Diffstat (limited to 'external/curl/CVE-2018-1000120.patch')
-rw-r--r-- | external/curl/CVE-2018-1000120.patch | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/external/curl/CVE-2018-1000120.patch b/external/curl/CVE-2018-1000120.patch new file mode 100644 index 000000000000..6da1b1b3dcce --- /dev/null +++ b/external/curl/CVE-2018-1000120.patch @@ -0,0 +1,67 @@ +From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Wed, 31 Jan 2018 08:40:11 +0100 +Subject: [PATCH] FTP: reject path components with control codes + +Refuse to operate when given path components featuring byte values lower +than 32. + +Previously, inserting a %00 sequence early in the directory part when +using the 'singlecwd' ftp method could make curl write a zero byte +outside of the allocated buffer. + +Test case 340 verifies. + +CVE-2018-1000120 +Reported-by: Duy Phan Thanh +Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html +--- + lib/ftp.c | 8 ++++---- + tests/data/Makefile.inc | 3 +++ + tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 47 insertions(+), 4 deletions(-) + create mode 100644 tests/data/test340 + +diff --git a/lib/ftp.c b/lib/ftp.c +index fec591918..e2cc38b62 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -3192,11 +3192,11 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, + ftpc->known_filesize = -1; + } + + if(!result) + /* get the "raw" path */ +- result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); ++ result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); + if(result) { + /* We can limp along anyway (and should try to since we may already be in + * the error path) */ + ftpc->ctl_valid = FALSE; /* mark control connection as bad */ + connclose(conn, "FTP: out of memory!"); /* mark for connection closure */ +@@ -4153,11 +4153,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + dirlen++; + + result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", + slash_pos ? dirlen : 1, + &ftpc->dirs[0], NULL, +- FALSE); ++ TRUE); + if(result) { + freedirs(ftpc); + return result; + } + ftpc->dirdepth = 1; /* we consider it to be a single dir */ +@@ -4260,11 +4260,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) + /* prevpath is "raw" so we convert the input path before we compare the + strings */ + size_t dlen; + char *path; + CURLcode result = +- Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); ++ Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); + if(result) { + freedirs(ftpc); + return result; + } + |