From 3050ae57c0ad3a071448fb36b5d5d720910d5d00 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 19 Jan 2005 21:56:02 +0000 Subject: Stephan Bergmann made libcurl return CURLE_URL_MALFORMAT if an FTP URL contains %0a or %0d in the user, password or CWD parts. (A future fix would include doing it for %00 as well - see KNOWN_BUGS for details.) Test case 225 and 226 were added to verify this --- lib/ftp.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'lib') diff --git a/lib/ftp.c b/lib/ftp.c index 0aa734e5b..ffec9c647 100644 --- a/lib/ftp.c +++ b/lib/ftp.c @@ -149,6 +149,14 @@ static void freedirs(struct FTP *ftp) } } +/* Returns non-zero iff the given string contains CR (0x0D) or LF (0x0A), which + are not allowed within RFC 959 . + */ +static bool isBadFtpString(const char *string) +{ + return strchr(string, 0x0D) != NULL || strchr(string, 0x0A) != NULL; +} + /*********************************************************************** * * AllowServerConnect() @@ -474,6 +482,9 @@ CURLcode Curl_ftp_connect(struct connectdata *conn) /* no need to duplicate them, this connectdata struct won't change */ ftp->user = conn->user; ftp->passwd = conn->passwd; + if (isBadFtpString(ftp->user) || isBadFtpString(ftp->passwd)) { + return CURLE_URL_MALFORMAT; + } ftp->response_time = 3600; /* set default response time-out */ #ifndef CURL_DISABLE_HTTP @@ -2738,6 +2749,10 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) freedirs(ftp); return CURLE_OUT_OF_MEMORY; } + if (isBadFtpString(ftp->dirs[ftp->dirdepth])) { + freedirs(ftp); + return CURLE_URL_MALFORMAT; + } } else { cur_pos = slash_pos + 1; /* jump to the rest of the string */ @@ -2769,6 +2784,10 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) failf(data, "no memory"); return CURLE_OUT_OF_MEMORY; } + if (isBadFtpString(ftp->file)) { + freedirs(ftp); + return CURLE_URL_MALFORMAT; + } } else ftp->file=NULL; /* instead of point to a zero byte, we make it a NULL -- cgit v1.2.3