curl: avoid local drive traversal when saving file (Windows)

curl does not sanitize colons in a remote file name that is used as the local file name. This may lead to a vulnerability on systems where the colon is a special path character. Currently Windows/DOS is the only OS where this vulnerability applies. CVE-2016-0754 Bug: http://curl.haxx.se/docs/adv_20160127B.html
author: Ray Satiro <raysatiro@yahoo.com> 2016-01-26 23:23:15 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2016-01-26 23:42:55 +0100
commit: 3017d8a8d8849ebd4feae4f5eae037cd55736a61 (patch)
tree: 976231c185eafd16960d905dc73a7ca0c04ff59f /src/tool_operate.c
parent: cea1fd7a9414b628e3b462b08ee3b64f24a689d1 (diff)
1 files changed, 20 insertions, 9 deletions
diff --git a/src/tool_operate.c b/src/tool_operate.c
index 30d60cb33..272ebd4f7 100644
--- a/src/tool_operate.c
+++ b/src/tool_operate.c
@@ -543,26 +543,37 @@ static CURLcode operate_do(struct GlobalConfig *global,
             result = get_url_file_name(&outfile, this_url);
             if(result)
               goto show_error;
+
+#if defined(MSDOS) || defined(WIN32)
+            result = sanitize_file_name(&outfile);
+            if(result) {
+              Curl_safefree(outfile);
+              goto show_error;
+            }
+#endif /* MSDOS || WIN32 */
+
             if(!*outfile && !config->content_disposition) {
               helpf(global->errors, "Remote file name has no length!\n");
               result = CURLE_WRITE_ERROR;
               goto quit_urls;
             }
-#if defined(MSDOS) || defined(WIN32)
-            /* For DOS and WIN32, we do some major replacing of
-               bad characters in the file name before using it */
-            outfile = sanitize_dos_name(outfile);
-            if(!outfile) {
-              result = CURLE_OUT_OF_MEMORY;
-              goto show_error;
-            }
-#endif /* MSDOS || WIN32 */
           }
           else if(urls) {
             /* fill '#1' ... '#9' terms from URL pattern */
             char *storefile = outfile;
             result = glob_match_url(&outfile, storefile, urls);
             Curl_safefree(storefile);
+
+#if defined(MSDOS) || defined(WIN32)
+            if(!result) {
+              result = sanitize_file_name(&outfile);
+              if(result) {
+                Curl_safefree(outfile);
+                goto show_error;
+              }
+            }
+#endif /* MSDOS || WIN32 */
+
             if(result) {
               /* bad globbing */
               warnf(config->global, "bad output glob!\n");
author	Ray Satiro <raysatiro@yahoo.com>	2016-01-26 23:23:15 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2016-01-26 23:42:55 +0100
commit	3017d8a8d8849ebd4feae4f5eae037cd55736a61 (patch)
tree	976231c185eafd16960d905dc73a7ca0c04ff59f /src/tool_operate.c
parent	cea1fd7a9414b628e3b462b08ee3b64f24a689d1 (diff)