diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2013-08-04 23:27:27 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2013-08-04 23:32:36 +0200 |
| commit | 0ddc678927eaa127efc457535858c19e791a5339 (patch) | |
| tree | cc8832abd8f2165e6312b3d9657b7c776f8d98af | |
| parent | 51f0b798fa572496c56db62dc3970e4ea0b2760c (diff) | |
formadd: wrong pointer for file name when CURLFORM_BUFFERPTR used
The internal function that's used to detect known file extensions for
the default Content-Type got the the wrong pointer passed in when
CURLFORM_BUFFER + CURLFORM_BUFFERPTR were used. This had the effect that
strlen() would be used which could lead to an out-of-bounds read (and
thus segfault). In most cases it would only lead to it not finding or
using the correct default content-type.
It also showed that test 554 and test 587 were testing for the
previous/wrong behavior and now they're updated as well.
Bug: http://curl.haxx.se/bug/view.cgi?id=1262
Reported-by: Konstantin Isakov
| -rw-r--r-- | lib/formdata.c | 12 | ||||
| -rw-r--r-- | tests/data/test554 | 4 | ||||
| -rw-r--r-- | tests/data/test587 | 2 |
3 files changed, 10 insertions, 8 deletions
diff --git a/lib/formdata.c b/lib/formdata.c index 9d90f72e4..f718a3e4e 100644 --- a/lib/formdata.c +++ b/lib/formdata.c @@ -168,8 +168,8 @@ static FormInfo * AddFormInfo(char *value, * Returns some valid contenttype for filename. * ***************************************************************************/ -static const char * ContentTypeForFilename (const char *filename, - const char *prevtype) +static const char *ContentTypeForFilename(const char *filename, + const char *prevtype) { const char *contenttype = NULL; unsigned int i; @@ -178,7 +178,7 @@ static const char * ContentTypeForFilename (const char *filename, * extensions and pick the first we match! */ struct ContentType { - char extension[6]; + const char *extension; const char *type; }; static const struct ContentType ctts[]={ @@ -667,9 +667,11 @@ CURLFORMcode FormAdd(struct curl_httppost **httppost, if(((form->flags & HTTPPOST_FILENAME) || (form->flags & HTTPPOST_BUFFER)) && !form->contenttype ) { + char *f = form->flags & HTTPPOST_BUFFER? + form->showfilename : form->value; + /* our contenttype is missing */ - form->contenttype - = strdup(ContentTypeForFilename(form->value, prevtype)); + form->contenttype = strdup(ContentTypeForFilename(f, prevtype)); if(!form->contenttype) { return_value = CURL_FORMADD_MEMORY; break; diff --git a/tests/data/test554 b/tests/data/test554 index 8c6b762ef..b442230c9 100644 --- a/tests/data/test554 +++ b/tests/data/test554 @@ -45,7 +45,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=-------------------------- POST /554 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Accept: */*
-Content-Length: 732
+Content-Length: 718
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------
@@ -69,7 +69,7 @@ Content-Disposition: form-data; name="submit" send
------------------------------
Content-Disposition: form-data; name="somename"; filename="somefile.txt"
-Content-Type: application/octet-stream
+Content-Type: text/plain
blah blah
--------------------------------
diff --git a/tests/data/test587 b/tests/data/test587 index d936372c5..e73cc2cf7 100644 --- a/tests/data/test587 +++ b/tests/data/test587 @@ -35,7 +35,7 @@ s/boundary=------------------------[a-z0-9]*/boundary=-------------------------- POST /587 HTTP/1.1
Host: %HOSTIP:%HTTPPORT
Accept: */*
-Content-Length: 732
+Content-Length: 718
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------
|