1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
From 8236aba58542c5f89f1d41ca09d84579efb05e22 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 31 May 2020 23:09:59 +0200
Subject: [PATCH] tool_getparam: -i is not OK if -J is used
Reported-by: sn on hackerone
Bug: https://curl.haxx.se/docs/CVE-2020-8177.html
Upstream-Status: Backport
CVE:CVE-2020-8177
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
src/tool_cb_hdr.c | 22 ++++------------------
src/tool_getparam.c | 5 +++++
2 files changed, 9 insertions(+), 18 deletions(-)
Index: curl-7.69.1/src/tool_cb_hdr.c
===================================================================
--- curl-7.69.1.orig/src/tool_cb_hdr.c
+++ curl-7.69.1/src/tool_cb_hdr.c
@@ -134,25 +134,11 @@
filename = parse_filename(p, len);
if(filename) {
if(outs->stream) {
- int rc;
- /* already opened and possibly written to */
- if(outs->fopened)
- fclose(outs->stream);
- outs->stream = NULL;
+ /* indication of problem, get out! */
+ free(filename);
+ return failure;
+ }
- /* rename the initial file name to the new file name */
- rc = rename(outs->filename, filename);
- if(rc != 0) {
- warnf(outs->config->global, "Failed to rename %s -> %s: %s\n",
- outs->filename, filename, strerror(errno));
- }
- if(outs->alloc_filename)
- Curl_safefree(outs->filename);
- if(rc != 0) {
- free(filename);
- return failure;
- }
- }
outs->is_cd_filename = TRUE;
outs->s_isreg = TRUE;
outs->fopened = FALSE;
Index: curl-7.69.1/src/tool_getparam.c
===================================================================
--- curl-7.69.1.orig/src/tool_getparam.c
+++ curl-7.69.1/src/tool_getparam.c
@@ -1807,6 +1807,11 @@ ParameterError getparameter(const char *
}
break;
case 'i':
+ if(config->content_disposition) {
+ warnf(global,
+ "--include and --remote-header-name cannot be combined.\n");
+ return PARAM_BAD_USE;
+ }
config->show_headers = toggle; /* show the headers as well in the
general output stream */
break;
|