diff options
author | Daniel Stenberg <daniel@haxx.se> | 2011-12-23 13:24:16 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2012-01-24 08:54:26 +0100 |
commit | 75ca568fa1c19de4c5358fed246686de8467c238 (patch) | |
tree | 3defa5cba8cb2105499cc762810274d27d44cfd6 /lib/smtp.c | |
parent | db1a856b4f7cf6ae334fb0656b26a18eea317000 (diff) |
URL sanitize: reject URLs containing bad data
Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a
decoded manner now use the new Curl_urldecode() function to reject URLs
with embedded control codes (anything that is or decodes to a byte value
less than 32).
URLs containing such codes could easily otherwise be used to do harm and
allow users to do unintended actions with otherwise innocent tools and
applications. Like for example using a URL like
pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get
a mail and instead this would delete one.
This flaw is considered a security vulnerability: CVE-2012-0036
Security advisory at: http://curl.haxx.se/docs/adv_20120124.html
Reported by: Dan Fandrich
Diffstat (limited to 'lib/smtp.c')
-rw-r--r-- | lib/smtp.c | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/lib/smtp.c b/lib/smtp.c index 4cb25efca..553c697d0 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -1244,7 +1244,6 @@ static CURLcode smtp_connect(struct connectdata *conn, struct SessionHandle *data = conn->data; struct pingpong *pp = &smtpc->pp; const char *path = conn->data->state.path; - int len; char localhost[HOSTNAME_MAX + 1]; *done = FALSE; /* default to not done yet */ @@ -1316,9 +1315,9 @@ static CURLcode smtp_connect(struct connectdata *conn, } /* url decode the path and use it as domain with EHLO */ - smtpc->domain = curl_easy_unescape(conn->data, path, 0, &len); - if(!smtpc->domain) - return CURLE_OUT_OF_MEMORY; + result = Curl_urldecode(conn->data, path, 0, &smtpc->domain, NULL, TRUE); + if(result) + return result; /* When we connect, we start in the state where we await the server greeting */ |