diff options
Diffstat (limited to 'www/curl/patches/patch-ba')
-rw-r--r-- | www/curl/patches/patch-ba | 120 |
1 files changed, 120 insertions, 0 deletions
diff --git a/www/curl/patches/patch-ba b/www/curl/patches/patch-ba new file mode 100644 index 00000000000..5dde8b3e963 --- /dev/null +++ b/www/curl/patches/patch-ba @@ -0,0 +1,120 @@ +$NetBSD: patch-ba,v 1.1.2.2 2012/01/28 06:26:19 sbd Exp $ + +CVE-2012-0036 + +--- lib/escape.c.orig 2011-11-04 22:32:56.000000000 +0000 ++++ lib/escape.c +@@ -31,6 +31,7 @@ + #include "urldata.h" + #include "warnless.h" + #include "non-ascii.h" ++#include "escape.h" + + #define _MPRINTF_REPLACE /* use our functions only */ + #include <curl/mprintf.h> +@@ -84,7 +85,7 @@ char *curl_easy_escape(CURL *handle, con + char *testing_ptr = NULL; + unsigned char in; /* we need to treat the characters unsigned */ + size_t newlen = alloc; +- int strindex=0; ++ size_t strindex=0; + size_t length; + CURLcode res; + +@@ -132,23 +133,29 @@ char *curl_easy_escape(CURL *handle, con + } + + /* +- * Unescapes the given URL escaped string of given length. Returns a +- * pointer to a malloced string with length given in *olen. +- * If length == 0, the length is assumed to be strlen(string). +- * If olen == NULL, no output length is stored. ++ * Curl_urldecode() URL decodes the given string. ++ * ++ * Optionally detects control characters (byte codes lower than 32) in the ++ * data and rejects such data. ++ * ++ * Returns a pointer to a malloced string in *ostring with length given in ++ * *olen. If length == 0, the length is assumed to be strlen(string). ++ * + */ +-char *curl_easy_unescape(CURL *handle, const char *string, int length, +- int *olen) ++CURLcode Curl_urldecode(struct SessionHandle *data, ++ const char *string, size_t length, ++ char **ostring, size_t *olen, ++ bool reject_ctrl) + { +- int alloc = (length?length:(int)strlen(string))+1; ++ size_t alloc = (length?length:strlen(string))+1; + char *ns = malloc(alloc); + unsigned char in; +- int strindex=0; ++ size_t strindex=0; + unsigned long hex; + CURLcode res; + + if(!ns) +- return NULL; ++ return CURLE_OUT_OF_MEMORY; + + while(--alloc > 0) { + in = *string; +@@ -164,16 +171,20 @@ char *curl_easy_unescape(CURL *handle, c + + in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ + +- res = Curl_convert_from_network(handle, &in, 1); ++ res = Curl_convert_from_network(data, &in, 1); + if(res) { + /* Curl_convert_from_network calls failf if unsuccessful */ + free(ns); +- return NULL; ++ return res; + } + + string+=2; + alloc-=2; + } ++ if(reject_ctrl && (in < 0x20)) { ++ free(ns); ++ return CURLE_URL_MALFORMAT; ++ } + + ns[strindex++] = in; + string++; +@@ -183,7 +194,33 @@ char *curl_easy_unescape(CURL *handle, c + if(olen) + /* store output size */ + *olen = strindex; +- return ns; ++ ++ if(ostring) ++ /* store output string */ ++ *ostring = ns; ++ ++ return CURLE_OK; ++} ++ ++/* ++ * Unescapes the given URL escaped string of given length. Returns a ++ * pointer to a malloced string with length given in *olen. ++ * If length == 0, the length is assumed to be strlen(string). ++ * If olen == NULL, no output length is stored. ++ */ ++char *curl_easy_unescape(CURL *handle, const char *string, int length, ++ int *olen) ++{ ++ char *str = NULL; ++ size_t inputlen = length; ++ size_t outputlen; ++ CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, ++ FALSE); ++ if(res) ++ return NULL; ++ if(olen) ++ *olen = curlx_uztosi(outputlen); ++ return str; + } + + /* For operating systems/environments that use different malloc/free |