curl: backport fix for CVE-2019-15601

On Windows, refuse paths that start with \\ ... as that might cause an
unexpected SMB connection to a given host name.

Ref: PR#2730
Ref: https://curl.haxx.se/docs/CVE-2019-15601.html
Suggested-by: Jerome Benoit <jerome.benoit@sap.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
v19.07.3_mercusys_ac12_duma
Petr Štetiar 4 years ago
parent 35ea808b97
commit 55591e63bc

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=curl
PKG_VERSION:=7.66.0
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://dl.uxnr.de/mirror/curl/ \

@ -0,0 +1,44 @@
From 1b71bc532bde8621fd3260843f8197182a467ff2 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 7 Nov 2019 10:13:01 +0100
Subject: [PATCH] file: on Windows, refuse paths that start with \\
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
... as that might cause an unexpected SMB connection to a given host
name.
Reported-by: Fernando Muñoz
CVE-2019-15601
Bug: https://curl.haxx.se/docs/CVE-2019-15601.html
Signed-off-by: Petr Štetiar <ynezz@true.cz>
---
lib/file.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/file.c b/lib/file.c
index d349cd9241cd..166931d7f1ba 100644
--- a/lib/file.c
+++ b/lib/file.c
@@ -136,7 +136,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
struct Curl_easy *data = conn->data;
char *real_path;
struct FILEPROTO *file = data->req.protop;
- int fd;
+ int fd = -1;
#ifdef DOS_FILESYSTEM
size_t i;
char *actual_path;
@@ -181,7 +181,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
return CURLE_URL_MALFORMAT;
}
- fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
+ if(strncmp("\\\\", actual_path, 2))
+ /* refuse to open path that starts with two backslashes */
+ fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
file->path = actual_path;
#else
if(memchr(real_path, 0, real_path_len)) {
Loading…
Cancel
Save