file: reject paths using embedded %00

Mostly because we use C strings and they end at a binary zero so we know we can't open a file name using an embedded binary zero. Reported-by: research@g0blin.co.uk
2024-12-21 23:58:49 -05:00 · 2014-09-25 13:44:24 +02:00 · 2014-09-25 13:44:24 +02:00 · 53cbea2231
commit 53cbea2231
parent 46d71e7fd2
1 changed files with 10 additions and 2 deletions
--- a/lib/file.c
+++ b/lib/file.c
@ -196,8 +196,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
  int i;
  char *actual_path;
 #endif
+  int real_path_len;

-  real_path = curl_easy_unescape(data, data->state.path, 0, NULL);
+  real_path = curl_easy_unescape(data, data->state.path, 0, &real_path_len);
  if(!real_path)
    return CURLE_OUT_OF_MEMORY;

@ -222,16 +223,23 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
     (actual_path[2] == ':' || actual_path[2] == '|')) {
    actual_path[2] = ':';
    actual_path++;
+    real_path_len--;
  }

  /* change path separators from '/' to '\\' for DOS, Windows and OS/2 */
-  for(i=0; actual_path[i] != '\0'; ++i)
+  for(i=0; i < real_path_len; ++i)
    if(actual_path[i] == '/')
      actual_path[i] = '\\';
+    else if(!actual_path[i]) /* binary zero */
+      return CURLE_URL_MALFORMAT;

  fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
  file->path = actual_path;
 #else
+  if(memchr(real_path, 0, real_path_len))
+    /* binary zeroes indicate foul play */
+    return CURLE_URL_MALFORMAT;
+
  fd = open_readonly(real_path, O_RDONLY);
  file->path = real_path;
 #endif