mirror of
https://github.com/curl/curl.git
synced 2026-04-11 12:01:42 +08:00
c3f04e76ae
A malicious or compromised FTP server could include control characters (e.g. bare \r, or bytes 0x01-0x1f/0x7f) inside the quoted directory path of its 257 PWD response. That string is stored verbatim as ftpc->entrypath and later sent unescaped in a CWD command on connection reuse via Curl_pp_sendf(), which performs no sanitization before appending \r\n. Reject the entire path if any control character is encountered during extraction so that tainted data never reaches a subsequent FTP command. Add test case 3217 and 3218 to verify. Adjusted test 1152 accordingly. Closes #20949
43 lines
557 B
XML
43 lines
557 B
XML
<?xml version="1.0" encoding="US-ASCII"?>
|
|
<testcase>
|
|
<info>
|
|
<keywords>
|
|
FTP
|
|
PASV
|
|
RETR
|
|
FAILURE
|
|
</keywords>
|
|
</info>
|
|
# Server-side
|
|
<reply>
|
|
<servercmd>
|
|
REPLY PWD 257 %hex["/%0d"]hex%
|
|
</servercmd>
|
|
</reply>
|
|
|
|
# Client-side
|
|
<client>
|
|
<server>
|
|
ftp
|
|
</server>
|
|
<name>
|
|
FTP with CR control character in PWD response path
|
|
</name>
|
|
<command>
|
|
ftp://%HOSTIP:%FTPPORT/%TESTNUMBER
|
|
</command>
|
|
</client>
|
|
|
|
# Verify data after the test has been "shot"
|
|
<verify>
|
|
<errorcode>
|
|
8
|
|
</errorcode>
|
|
<protocol crlf="yes">
|
|
USER anonymous
|
|
PASS ftp@example.com
|
|
PWD
|
|
</protocol>
|
|
</verify>
|
|
</testcase>
|