1
0
mirror of https://github.com/moparisthebest/curl synced 2024-11-18 07:25:14 -05:00
curl/tests/data/test340
Daniel Stenberg 535432c0ad
FTP: reject path components with control codes
Refuse to operate when given path components featuring byte values lower
than 32.

Previously, inserting a %00 sequence early in the directory part when
using the 'singlecwd' ftp method could make curl write a zero byte
outside of the allocated buffer.

Test case 340 verifies.

CVE-2018-1000120
Reported-by: Duy Phan Thanh
Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
2018-03-12 07:47:07 +01:00

41 lines
493 B
Plaintext

<testcase>
<info>
<keywords>
FTP
PASV
CWD
--ftp-method
singlecwd
</keywords>
</info>
#
# Server-side
<reply>
</reply>
# Client-side
<client>
<server>
ftp
</server>
<name>
FTP using %00 in path with singlecwd
</name>
<command>
--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340
</command>
</client>
# Verify data after the test has been "shot"
<verify>
<protocol>
USER anonymous
PASS ftp@example.com
PWD
</protocol>
<errorcode>
3
</errorcode>
</verify>
</testcase>