1 files changed, 67 insertions, 0 deletions
diff --git a/external/curl/CVE-2018-1000120.patch b/external/curl/CVE-2018-1000120.patch
new file mode 100644
index 000000000000..6da1b1b3dcce
--- /dev/null
+++ b/external/curl/CVE-2018-1000120.patch
@@ -0,0 +1,67 @@
+From a6ae0fbe9c50733e0f645f5bd16e1db38c592c3d Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 31 Jan 2018 08:40:11 +0100
+Subject: [PATCH] FTP: reject path components with control codes
+
+Refuse to operate when given path components featuring byte values lower
+than 32.
+
+Previously, inserting a %00 sequence early in the directory part when
+using the 'singlecwd' ftp method could make curl write a zero byte
+outside of the allocated buffer.
+
+Test case 340 verifies.
+
+CVE-2018-1000120
+Reported-by: Duy Phan Thanh
+Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
+---
+ lib/ftp.c               |  8 ++++----
+ tests/data/Makefile.inc |  3 +++
+ tests/data/test340      | 40 ++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 4 deletions(-)
+ create mode 100644 tests/data/test340
+
+diff --git a/lib/ftp.c b/lib/ftp.c
+index fec591918..e2cc38b62 100644
+--- a/lib/ftp.c
++++ b/lib/ftp.c
+@@ -3192,11 +3192,11 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status,
+     ftpc->known_filesize = -1;
+   }
+ 
+   if(!result)
+     /* get the "raw" path */
+-    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE);
++    result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE);
+   if(result) {
+     /* We can limp along anyway (and should try to since we may already be in
+      * the error path) */
+     ftpc->ctl_valid = FALSE; /* mark control connection as bad */
+     connclose(conn, "FTP: out of memory!"); /* mark for connection closure */
+@@ -4153,11 +4153,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+         dirlen++;
+ 
+       result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/",
+                               slash_pos ? dirlen : 1,
+                               &ftpc->dirs[0], NULL,
+-                              FALSE);
++                              TRUE);
+       if(result) {
+         freedirs(ftpc);
+         return result;
+       }
+       ftpc->dirdepth = 1; /* we consider it to be a single dir */
+@@ -4260,11 +4260,11 @@ CURLcode ftp_parse_url_path(struct connectdata *conn)
+     /* prevpath is "raw" so we convert the input path before we compare the
+        strings */
+     size_t dlen;
+     char *path;
+     CURLcode result =
+-      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE);
++      Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE);
+     if(result) {
+       freedirs(ftpc);
+       return result;
+     }
+