1234567891011121314151617181920212223242526272829303132333435363738394041424344 |
- From 1b71bc532bde8621fd3260843f8197182a467ff2 Mon Sep 17 00:00:00 2001
- From: Daniel Stenberg <daniel@haxx.se>
- Date: Thu, 7 Nov 2019 10:13:01 +0100
- Subject: [PATCH] file: on Windows, refuse paths that start with \\
- MIME-Version: 1.0
- Content-Type: text/plain; charset=UTF-8
- Content-Transfer-Encoding: 8bit
- ... as that might cause an unexpected SMB connection to a given host
- name.
- Reported-by: Fernando Muñoz
- CVE-2019-15601
- Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
- Signed-off-by: Petr Štetiar <ynezz@true.cz>
- ---
- lib/file.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
- diff --git a/lib/file.c b/lib/file.c
- index d349cd9241cd..166931d7f1ba 100644
- --- a/lib/file.c
- +++ b/lib/file.c
- @@ -136,7 +136,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
- struct Curl_easy *data = conn->data;
- char *real_path;
- struct FILEPROTO *file = data->req.protop;
- - int fd;
- + int fd = -1;
- #ifdef DOS_FILESYSTEM
- size_t i;
- char *actual_path;
- @@ -181,7 +181,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
- return CURLE_URL_MALFORMAT;
- }
-
- - fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
- + if(strncmp("\\\\", actual_path, 2))
- + /* refuse to open path that starts with two backslashes */
- + fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
- file->path = actual_path;
- #else
- if(memchr(real_path, 0, real_path_len)) {
|