From 6c51adeb71da076c5c40a45e339e06bb4394a86b Mon Sep 17 00:00:00 2001 From: Eric Vigeant Date: Wed, 2 Nov 2022 11:47:09 -0400 Subject: [PATCH] cur_path: do not add '/' if homedir ends with one When using SFTP and a path relative to the user home, do not add a trailing '/' to the user home dir if it already ends with one. Closes #9844 CVE: CVE-2023-27534 Note: - The upstream patch for CVE-2023-27534 does three things: 1) creates new path with dynbuf(dynamic buffer) 2) solves the tilde error which causes CVE-2023-27534 3) modifies the below added functionality to not add a trailing "/" to the user home dir if it already ends with one with dynbuf. - dynbuf functionalities are added in curl in later versions and are not essential to fix the vulnerability but does add extra feature in later versions. - This patch completes the 3rd task of the patch which was implemented without using dynbuf Upstream-Status: Backport from [https://github.com/curl/curl/commit/6c51adeb71da076c5c40a45e339e06bb4394a86b] Signed-off-by: Hitendra Prajapati Signed-off-by: Siddharth Doshi --- lib/curl_path.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/curl_path.c b/lib/curl_path.c index f429634..40b92ee 100644 --- a/lib/curl_path.c +++ b/lib/curl_path.c @@ -70,10 +70,14 @@ CURLcode Curl_getworkingpath(struct connectdata *conn, /* It is referenced to the home directory, so strip the leading '/' */ memcpy(real_path, homedir, homelen); - real_path[homelen] = '/'; - real_path[homelen + 1] = '\0'; + /* Only add a trailing '/' if homedir does not end with one */ + if(homelen == 0 || real_path[homelen - 1] != '/') { + real_path[homelen] = '/'; + homelen++; + real_path[homelen] = '\0'; + } if(working_path_len > 3) { - memcpy(real_path + homelen + 1, working_path + 3, + memcpy(real_path + homelen, working_path + 3, 1 + working_path_len -3); } } -- 2.24.4