From 4520534e6d5576f0647d03d6c573c5d7d45ccf6e Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Fri, 5 Feb 2016 01:44:27 -0500 Subject: tool_doswin: Improve sanitization processing - Add unit test 1604 to test the sanitize_file_name function. - Use -DCURL_STATICLIB when building libcurltool for unit testing. - Better detection of reserved DOS device names. - New flags to modify sanitize behavior: SANITIZE_ALLOW_COLONS: Allow colons SANITIZE_ALLOW_PATH: Allow path separators and colons SANITIZE_ALLOW_RESERVED: Allow reserved device names SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename - Restore sanitization of banned characters from user-specified outfile. Prior to this commit sanitization of a user-specified outfile was temporarily disabled in 2b6dadc because there was no way to allow path separators and colons through while replacing other banned characters. Now in such a case we call the sanitize function with SANITIZE_ALLOW_PATH which allows path separators and colons to pass through. Closes https://github.com/curl/curl/issues/624 Reported-by: Octavio Schroeder --- src/tool_urlglob.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'src/tool_urlglob.c') diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c index 0b714af80..39cb32d6c 100644 --- a/src/tool_urlglob.c +++ b/src/tool_urlglob.c @@ -24,6 +24,8 @@ #define ENABLE_CURLX_PRINTF /* use our own printf() functions */ #include "curlx.h" +#include "tool_cfgable.h" +#include "tool_doswin.h" #include "tool_urlglob.h" #include "tool_vms.h" @@ -666,6 +668,19 @@ CURLcode glob_match_url(char **result, char *filename, URLGlob *glob) stringlen += appendlen; } target[stringlen]= '\0'; + +#if defined(MSDOS) || defined(WIN32) + { + char *sanitized; + SANITIZEcode sc = sanitize_file_name(&sanitized, target, + SANITIZE_ALLOW_PATH); + Curl_safefree(target); + if(sc) + return CURLE_URL_MALFORMAT; + target = sanitized; + } +#endif /* MSDOS || WIN32 */ + *result = target; return CURLE_OK; } -- cgit v1.2.3