FTP: reject path components with control codes

Refuse to operate when given path components featuring byte values lower than 32. Previously, inserting a %00 sequence early in the directory part when using the 'singlecwd' ftp method could make curl write a zero byte outside of the allocated buffer. Test case 340 verifies. CVE-2018-1000120 Reported-by: Duy Phan Thanh Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
author: Daniel Stenberg <daniel@haxx.se> 2018-01-31 08:40:11 +0100
committer: Daniel Stenberg <daniel@haxx.se> 2018-03-12 07:47:07 +0100
commit: 535432c0adb62fe167ec09621500470b6fa4eb0f (patch)
tree: 1f57399b99b215172fe58c051f9bf4180beace05 /tests/data/test340
parent: d52dc4760f6d9ca1937eefa2093058a952465128 (diff)
1 files changed, 40 insertions, 0 deletions
diff --git a/tests/data/test340 b/tests/data/test340
new file mode 100644
index 000000000..d834d767c
--- /dev/null
+++ b/tests/data/test340
@@ -0,0 +1,40 @@
+<testcase>
+<info>
+<keywords>
+FTP
+PASV
+CWD
+--ftp-method
+singlecwd
+</keywords>
+</info>
+#
+# Server-side
+<reply>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+ <name>
+FTP using %00 in path with singlecwd
+ </name>
+ <command>
+--ftp-method singlecwd ftp://%HOSTIP:%FTPPORT/%00first/second/third/340
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<protocol>
+USER anonymous
+PASS ftp@example.com
+PWD
+</protocol>
+<errorcode>
+3
+</errorcode>
+</verify>
+</testcase>
author	Daniel Stenberg <daniel@haxx.se>	2018-01-31 08:40:11 +0100
committer	Daniel Stenberg <daniel@haxx.se>	2018-03-12 07:47:07 +0100
commit	535432c0adb62fe167ec09621500470b6fa4eb0f (patch)
tree	1f57399b99b215172fe58c051f9bf4180beace05 /tests/data/test340
parent	d52dc4760f6d9ca1937eefa2093058a952465128 (diff)