curl-curl

git-market/curl-curl

Fork 0

mirror of https://github.com/curl/curl.git synced 2026-04-13 00:31:41 +08:00

Commit Graph

Author	SHA1	Message	Date
Ercan Ermis	c3f04e76ae	ftp: reject PWD responses containing control characters A malicious or compromised FTP server could include control characters (e.g. bare \r, or bytes 0x01-0x1f/0x7f) inside the quoted directory path of its 257 PWD response. That string is stored verbatim as ftpc->entrypath and later sent unescaped in a CWD command on connection reuse via Curl_pp_sendf(), which performs no sanitization before appending \r\n. Reject the entire path if any control character is encountered during extraction so that tainted data never reaches a subsequent FTP command. Add test case 3217 and 3218 to verify. Adjusted test 1152 accordingly. Closes #20949	2026-03-18 11:24:41 +01:00

Author

SHA1

Message

Date

Ercan Ermis

c3f04e76ae

ftp: reject PWD responses containing control characters

A malicious or compromised FTP server could include control characters
(e.g. bare \r, or bytes 0x01-0x1f/0x7f) inside the quoted directory path
of its 257 PWD response. That string is stored verbatim as
ftpc->entrypath and later sent unescaped in a CWD command on connection
reuse via Curl_pp_sendf(), which performs no sanitization before
appending \r\n.

Reject the entire path if any control character is encountered during
extraction so that tainted data never reaches a subsequent FTP command.

Add test case 3217 and 3218 to verify. Adjusted test 1152 accordingly.

Closes #20949

2026-03-18 11:24:41 +01:00

1 Commits