diff options
Diffstat (limited to 'recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch')
-rw-r--r-- | recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch | 119 |
1 files changed, 119 insertions, 0 deletions
diff --git a/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch new file mode 100644 index 0000000..cd44efb --- /dev/null +++ b/recipes-support/curl/curl/CVE-2018-1000120-FTP-reject-path-components-with-control-codes.patch | |||
@@ -0,0 +1,119 @@ | |||
1 | From 257f0d14893a491786bccb34ecc847f74edd47c6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Wellving <andreas.wellving@enea.com> | ||
3 | Date: Mon, 22 Oct 2018 13:01:11 +0200 | ||
4 | Subject: [PATCH] FTP: reject path components with control codes | ||
5 | |||
6 | Refuse to operate when given path components featuring byte values lower | ||
7 | than 32. | ||
8 | |||
9 | Previously, inserting a %00 sequence early in the directory part when | ||
10 | using the 'singlecwd' ftp method could make curl write a zero byte | ||
11 | outside of the allocated buffer. | ||
12 | |||
13 | Test case 340 verifies. | ||
14 | |||
15 | CVE-2018-1000120 | ||
16 | Upstream-Status: Backport [https://curl.haxx.se/CVE-2018-1000120.patch] | ||
17 | |||
18 | Reported-by: Duy Phan Thanh | ||
19 | Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html | ||
20 | |||
21 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
22 | --- | ||
23 | lib/ftp.c | 6 +++--- | ||
24 | tests/data/Makefile.inc | 1 + | ||
25 | tests/data/test340 | 40 ++++++++++++++++++++++++++++++++++++++++ | ||
26 | 3 files changed, 44 insertions(+), 3 deletions(-) | ||
27 | create mode 100644 tests/data/test340 | ||
28 | |||
29 | diff --git a/lib/ftp.c b/lib/ftp.c | ||
30 | index cab3699..0e28059 100644 | ||
31 | --- a/lib/ftp.c | ||
32 | +++ b/lib/ftp.c | ||
33 | @@ -3236,7 +3236,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, | ||
34 | |||
35 | if(!result) | ||
36 | /* get the "raw" path */ | ||
37 | - result = Curl_urldecode(data, path_to_use, 0, &path, NULL, FALSE); | ||
38 | + result = Curl_urldecode(data, path_to_use, 0, &path, NULL, TRUE); | ||
39 | if(result) { | ||
40 | /* We can limp along anyway (and should try to since we may already be in | ||
41 | * the error path) */ | ||
42 | @@ -4242,7 +4242,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) | ||
43 | result = Curl_urldecode(conn->data, slash_pos ? cur_pos : "/", | ||
44 | slash_pos ? dirlen : 1, | ||
45 | &ftpc->dirs[0], NULL, | ||
46 | - FALSE); | ||
47 | + TRUE); | ||
48 | if(result) { | ||
49 | freedirs(ftpc); | ||
50 | return result; | ||
51 | @@ -4350,7 +4350,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) | ||
52 | size_t dlen; | ||
53 | char *path; | ||
54 | CURLcode result = | ||
55 | - Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, FALSE); | ||
56 | + Curl_urldecode(conn->data, data->state.path, 0, &path, &dlen, TRUE); | ||
57 | if(result) { | ||
58 | freedirs(ftpc); | ||
59 | return result; | ||
60 | diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc | ||
61 | index 135ba06..31e026f 100644 | ||
62 | --- a/tests/data/Makefile.inc | ||
63 | +++ b/tests/data/Makefile.inc | ||
64 | @@ -57,6 +57,7 @@ test298 test299 test300 test301 test302 test303 test304 test305 test306 \ | ||
65 | test307 test308 test309 test310 test311 test312 test313 \ | ||
66 | test320 test321 test322 test323 test324 \ | ||
67 | test325 \ | ||
68 | +test340 \ | ||
69 | test350 test351 test352 test353 test354 \ | ||
70 | \ | ||
71 | test400 test401 test402 test403 test404 test405 test406 test407 test408 \ | ||
72 | diff --git a/tests/data/test340 b/tests/data/test340 | ||
73 | new file mode 100644 | ||
74 | index 0000000..d834d76 | ||
75 | --- /dev/null | ||
76 | +++ b/tests/data/test340 | ||
77 | @@ -0,0 +1,40 @@ | ||
78 | +<testcase> | ||
79 | +<info> | ||
80 | +<keywords> | ||
81 | +FTP | ||
82 | +PASV | ||
83 | +CWD | ||
84 | +--ftp-method | ||
85 | +singlecwd | ||
86 | +</keywords> | ||
87 | +</info> | ||
88 | +# | ||
89 | +# Server-side | ||
90 | +<reply> | ||
91 | +</reply> | ||
92 | + | ||
93 | +# Client-side | ||
94 | +<client> | ||
95 | +<server> | ||
96 | +ftp | ||
97 | +</server> | ||
98 | + <name> | ||
99 | +FTP using %00 in path with singlecwd | ||
100 | + </name> | ||
101 | + <command> | ||
102 | +--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340 | ||
103 | +</command> | ||
104 | +</client> | ||
105 | + | ||
106 | +# Verify data after the test has been "shot" | ||
107 | +<verify> | ||
108 | +<protocol> | ||
109 | +USER anonymous | ||
110 | +PASS ftp@example.com | ||
111 | +PWD | ||
112 | +</protocol> | ||
113 | +<errorcode> | ||
114 | +3 | ||
115 | +</errorcode> | ||
116 | +</verify> | ||
117 | +</testcase> | ||
118 | |||
119 | |||