curl/lib
Daniel Stenberg 535432c0ad
FTP: reject path components with control codes
Refuse to operate when given path components featuring byte values lower
than 32.

Previously, inserting a %00 sequence early in the directory part when
using the 'singlecwd' ftp method could make curl write a zero byte
outside of the allocated buffer.

Test case 340 verifies.

CVE-2018-1000120
Reported-by: Duy Phan Thanh
Bug: https://curl.haxx.se/docs/adv_2018-9cd6.html
2018-03-12 07:47:07 +01:00
..
vauth ntlm: remove unnecessary NULL-check to please scan-build 2017-11-21 09:02:40 +01:00
vtls WolfSSL: adding TLSv1.3 2018-03-05 00:02:34 +01:00
.gitattributes
.gitignore
amigaos.c
amigaos.h
arpa_telnet.h
asyn-ares.c build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
asyn-thread.c time: rename Curl_tvnow to Curl_now 2017-10-25 18:48:05 +02:00
asyn.h
base64.c
checksrc.pl spelling fixes 2018-02-23 23:29:01 +00:00
CMakeLists.txt cmake: Export libcurl and curl targets to use by other cmake projects 2017-10-28 17:22:47 +02:00
config-amigaos.h
config-dos.h build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
config-mac.h
config-os400.h os400: add missing symbols in config file. 2017-10-19 18:48:21 +01:00
config-riscos.h
config-symbian.h build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
config-tpf.h build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
config-vxworks.h build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
config-win32.h curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows 2018-02-07 21:33:57 +00:00
config-win32ce.h build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
conncache.c conncache: fix a return code [regression] 2017-12-12 23:54:35 +01:00
conncache.h conncache: fix several lock issues 2017-12-05 23:21:02 +01:00
connect.c url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT 2018-02-20 17:51:43 -05:00
connect.h url: Add option CURLOPT_HAPPY_EYEBALLS_TIMEOUT 2018-02-20 17:51:43 -05:00
content_encoding.c content_encoding: Add "none" alias to "identity" 2018-02-09 03:11:18 -05:00
content_encoding.h HTTP: support multiple Content-Encodings 2017-11-05 15:09:48 +01:00
cookie.c cookies: remove verbose "cookie size:" output 2018-01-25 17:33:35 +01:00
cookie.h cookies: reject oversized cookies 2017-09-18 22:55:50 +02:00
curl_addrinfo.c curl_addrinfo.c: Allow Unix Domain Sockets to compile under Windows 2018-02-07 21:33:57 +00:00
curl_addrinfo.h
curl_base64.h
curl_config.h.cmake build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
curl_ctype.c curl_ctype: fix macro redefinition warnings 2018-03-03 19:52:43 +01:00
curl_ctype.h curl_ctype: private is*() type macros and functions 2018-01-29 22:56:43 +01:00
curl_des.c
curl_des.h
curl_endian.c
curl_endian.h
curl_fnmatch.c fnmatch: optimize processing of consecutive *s and ?s pattern characters 2018-02-07 15:01:51 +01:00
curl_fnmatch.h
curl_gethostname.c
curl_gethostname.h
curl_gssapi.c curl_gssapi: make sure this file too uses our *printf() 2018-02-13 22:55:29 +01:00
curl_gssapi.h
curl_hmac.h
curl_ldap.h
curl_md4.h
curl_md5.h
curl_memory.h
curl_memrchr.c
curl_memrchr.h
curl_multibyte.c
curl_multibyte.h
curl_ntlm_core.c curl_ntlm_core.c: use the limits.h's SIZE_T_MAX if provided 2017-11-27 10:40:31 +01:00
curl_ntlm_core.h ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header 2017-09-23 13:58:14 -04:00
curl_ntlm_wb.c spelling fixes 2018-02-23 23:29:01 +00:00
curl_ntlm_wb.h
curl_path.c sftp: allow quoted commands to use relative paths 2017-12-09 13:38:38 +01:00
curl_path.h sftp: allow quoted commands to use relative paths 2017-12-09 13:38:38 +01:00
curl_printf.h
curl_range.c Curl_range: fix FTP-only and FILE-only builds 2018-03-11 20:33:04 +01:00
curl_range.h Curl_range: commonize FTP and FILE range handling 2018-01-30 17:23:26 +01:00
curl_rtmp.c curl_rtmp: fix a compiler warning 2017-07-28 16:41:29 +02:00
curl_rtmp.h
curl_sasl.c sasl: prefer PLAIN mechanism over LOGIN 2018-02-21 17:42:25 +01:00
curl_sasl.h
curl_sec.h
curl_setup_once.h curl_ctype: private is*() type macros and functions 2018-01-29 22:56:43 +01:00
curl_setup.h curl_setup: move the precautionary define of SIZEOF_TIME_T 2018-01-31 23:01:01 +01:00
curl_sha256.h auth: add support for RFC7616 - HTTP Digest access authentication 2017-10-28 16:32:43 +02:00
curl_sspi.c
curl_sspi.h
curl_threads.c curl_threads: fix MSVC compiler warning 2017-08-01 17:22:30 +02:00
curl_threads.h
curlx.h curlx: the timeval functions are no longer provided as curlx_* 2017-10-30 16:41:44 +01:00
dict.c code style: use spaces around equals signs 2017-09-11 09:29:50 +02:00
dict.h
dotdot.c code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
dotdot.h
easy.c header callback: don't chop headers into smaller pieces 2018-02-16 22:54:08 +01:00
easyif.h
escape.c escape.c: error: pointer targets differ in signedness 2017-09-15 16:56:23 +02:00
escape.h
file.c time_t-fixes: remove typecasts to 'long' for info.filetime 2018-02-01 07:50:59 +01:00
file.h
fileinfo.c
fileinfo.h
firefox-db2pem.sh
formdata.c formdata: use the mime-content type function 2018-02-05 13:50:30 +01:00
formdata.h mime: unified to use the typedef'd mime structs everywhere 2017-09-05 17:33:16 +01:00
ftp.c FTP: reject path components with control codes 2018-03-12 07:47:07 +01:00
ftp.h ftp: fix CWD when doing multicwd then nocwd on same connection 2017-08-17 10:08:11 +02:00
ftplistparser.c TODO fixed: Detect when called from within callbacks 2018-02-15 09:36:03 +01:00
ftplistparser.h
getenv.c
getinfo.c time: support > year 2038 time stamps for system with 32bit long 2018-01-30 08:29:59 +01:00
getinfo.h
gopher.c code style: use spaces around equals signs 2017-09-11 09:29:50 +02:00
gopher.h
hash.c code style: use space after semicolon 2017-09-12 09:50:24 +02:00
hash.h
hmac.c
hostasyn.c resolvers: only include anything if needed 2017-10-27 13:20:13 +02:00
hostcheck.c configure: check for netinet/in6.h 2017-12-06 00:19:09 +01:00
hostcheck.h
hostip4.c resolvers: only include anything if needed 2017-10-27 13:20:13 +02:00
hostip6.c resolvers: only include anything if needed 2017-10-27 13:20:13 +02:00
hostip.c hostip: fix compiler warning: 'variable set but not used' 2018-03-11 20:27:38 +01:00
hostip.h
hostsyn.c resolvers: only include anything if needed 2017-10-27 13:20:13 +02:00
http2.c http2: verbose output new MAX_CONCURRENT_STREAMS values 2018-03-10 23:56:21 +01:00
http2.h http2: fix OOM crash 2017-06-18 23:57:45 +02:00
http_chunks.c http_chunks: don't write chunks twice with CURLOPT_HTTP_TRANSFER_DECODING on 2018-02-12 03:47:36 +01:00
http_chunks.h
http_digest.c
http_digest.h
http_negotiate.c
http_negotiate.h
http_ntlm.c ntlm: move NTLM_NEEDS_NSS_INIT define into core NTLM header 2017-09-23 13:58:14 -04:00
http_ntlm.h
http_proxy.c HTTP: allow "header;" to replace an internal header with a blank one 2018-03-11 11:46:10 +01:00
http_proxy.h http_proxy: fix build with http and proxy 2017-06-18 15:18:15 +02:00
http.c HTTP: allow "header;" to replace an internal header with a blank one 2018-03-11 11:46:10 +01:00
http.h Curl_checkheaders: make it available for IMAP and SMTP too 2017-09-11 00:26:17 +02:00
idn_win32.c
if2ip.c code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
if2ip.h ipv6_scope: support unique local addresses 2017-08-13 17:52:15 +02:00
imap.c smtp/pop3/imap_get_message: decrease the data length too... 2018-01-15 21:40:52 +01:00
imap.h imap: support PREAUTH 2017-08-23 23:58:49 +02:00
inet_ntop.c code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
inet_ntop.h
inet_pton.c curl_setup_once: Remove ERRNO/SET_ERRNO macros 2017-07-10 02:09:27 -04:00
inet_pton.h inet_pton: fix include on windows to get prototype 2017-07-05 13:28:19 +02:00
krb5.c krb5: use nondeprecated functions 2018-03-04 22:21:46 +01:00
ldap.c ldap: silence clang warning 2017-10-15 15:59:43 +00:00
libcurl.plist
libcurl.rc
libcurl.vers.in
llist.c Curl_llist_remove: fix potential NULL pointer deref 2017-11-21 09:02:40 +01:00
llist.h
Makefile.am lib: don't export all symbols, just everything curl_* 2017-12-01 10:32:28 +01:00
makefile.amiga
Makefile.b32
makefile.dj lib: fix the djgpp build 2017-06-21 07:46:21 +02:00
Makefile.inc Curl_range: commonize FTP and FILE range handling 2018-01-30 17:23:26 +01:00
Makefile.m32 Makefile.m32: allow to customize brotli libs 2017-11-05 23:02:05 +00:00
Makefile.netware build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
Makefile.vxworks
Makefile.Watcom lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV 2017-06-15 11:11:15 +02:00
md4.c
md5.c
memdebug.c memdebug: use send/recv signature for curl_dosend/curl_dorecv 2017-10-30 21:27:59 +01:00
memdebug.h memdebug: use send/recv signature for curl_dosend/curl_dorecv 2017-10-30 21:27:59 +01:00
mime.c formdata: use the mime-content type function 2018-02-05 13:50:30 +01:00
mime.h formdata: use the mime-content type function 2018-02-05 13:50:30 +01:00
mk-ca-bundle.pl scripts: allow all perl scripts to be run directly 2018-01-07 15:42:11 -05:00
mk-ca-bundle.vbs spelling fixes 2018-02-23 23:29:01 +00:00
mprintf.c code style: remove wrong uses of multiple spaces 2017-09-12 13:54:54 +02:00
multi.c TODO fixed: Detect when called from within callbacks 2018-02-15 09:36:03 +01:00
multihandle.h TODO fixed: Detect when called from within callbacks 2018-02-15 09:36:03 +01:00
multiif.h TODO fixed: Detect when called from within callbacks 2018-02-15 09:36:03 +01:00
netrc.c code style: use spaces around equals signs 2017-09-11 09:29:50 +02:00
netrc.h
non-ascii.c non-ascii: fix implicit declaration warning 2018-02-15 15:52:41 -05:00
non-ascii.h mime: new MIME API. 2017-09-02 17:47:10 +01:00
nonblock.c
nonblock.h
nwlib.c
nwos.c
objnames-test08.sh
objnames-test10.sh
objnames.inc spelling fixes 2018-02-23 23:29:01 +00:00
openldap.c openldap: fix checksrc nits 2017-12-06 14:58:26 +01:00
parsedate.c spelling fixes 2018-02-23 23:29:01 +00:00
parsedate.h
pingpong.c time: rename Curl_tvnow to Curl_now 2017-10-25 18:48:05 +02:00
pingpong.h time: rename Curl_tvnow to Curl_now 2017-10-25 18:48:05 +02:00
pipeline.c PIPELINING_SERVER_BL: cleanup the internal list use 2017-06-19 09:14:49 +02:00
pipeline.h
pop3.c smtp/pop3/imap_get_message: decrease the data length too... 2018-01-15 21:40:52 +01:00
pop3.h
progress.c limit-rate: kick in even before "limit" data has been received 2018-03-11 23:54:25 +01:00
progress.h limit-rate: kick in even before "limit" data has been received 2018-03-11 23:54:25 +01:00
rand.c rand: add a clang-analyzer work-around 2017-12-13 00:45:42 +01:00
rand.h
rtsp.c HTTP: allow "header;" to replace an internal header with a blank one 2018-03-11 11:46:10 +01:00
rtsp.h handler: refactor connection checking 2017-06-30 10:17:27 +02:00
security.c build: remove HAVE_LIMITS_H check 2018-01-05 23:34:30 -05:00
select.c select: update comments 2017-10-30 16:40:28 +01:00
select.h select.h: avoid macro redefinition harder 2017-07-05 13:28:28 +02:00
sendf.c spelling fixes 2018-02-23 23:29:01 +00:00
sendf.h header callback: don't chop headers into smaller pieces 2018-02-16 22:54:08 +01:00
setopt.c url: Add option CURLOPT_RESOLVER_START_FUNCTION 2018-02-21 21:29:10 -05:00
setopt.h setopt: reintroduce non-static Curl_vsetopt() for OS400 support 2018-01-13 01:28:19 +01:00
setup-os400.h
setup-vms.h
sha256.c spelling fixes 2018-02-23 23:29:01 +00:00
share.c curl_share_setopt: va_end was not called if conncache errors 2017-11-10 15:02:11 +01:00
share.h share: add support for sharing the connection cache 2017-11-09 11:07:44 +01:00
sigpipe.h
slist.c
slist.h
smb.c get_posix_time: only check for overflows if they can happen! 2018-02-09 22:13:41 +01:00
smb.h SMB: fix numeric constant suffix and variable types 2018-01-16 22:21:59 +01:00
smtp.c smtp: fix processing of initial dot in data 2018-02-12 16:43:15 +01:00
smtp.h
sockaddr.h
socks_gssapi.c code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
socks_sspi.c code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
socks.c Curl_timeleft: change return type to timediff_t 2017-10-28 10:40:51 +02:00
socks.h
speedcheck.c timediff: return timediff_t from the time diff functions 2017-10-25 09:54:37 +02:00
speedcheck.h timeval: struct curltime is a struct timeval replacement 2017-07-28 15:51:25 +02:00
splay.c code style: use spaces around equals signs 2017-09-11 09:29:50 +02:00
splay.h code style: remove wrong uses of multiple spaces 2017-09-12 13:54:54 +02:00
ssh-libssh.c TODO fixed: Detect when called from within callbacks 2018-02-15 09:36:03 +01:00
ssh.c ssh: add two missing state names 2018-02-16 09:12:42 +01:00
ssh.h libssh: added SFTP support 2017-12-01 17:38:37 +01:00
strcase.c strcase: corrected comment header for Curl_strcasecompare() 2017-08-31 11:37:36 +02:00
strcase.h
strdup.c code style: use spaces around pluses 2017-09-11 09:29:50 +02:00
strdup.h
strerror.c TODO fixed: Detect when called from within callbacks 2018-02-15 09:36:03 +01:00
strerror.h
strtok.c
strtok.h
strtoofft.c strtoofft: Remove extraneous null check 2017-10-06 14:49:28 +02:00
strtoofft.h progress: calculate transfer speed on milliseconds if possible 2018-01-08 23:45:09 +13:00
system_win32.c
system_win32.h
telnet.c spelling fixes 2018-02-23 23:29:01 +00:00
telnet.h
tftp.c Curl_timeleft: change return type to timediff_t 2017-10-28 10:40:51 +02:00
tftp.h
timeval.c timeval: use mach time on MacOS 2017-10-30 15:27:46 +01:00
timeval.h timeval: make timediff_t also work on 32bit windows 2017-10-26 20:22:55 +02:00
transfer.c readwrite: make sure excess reads don't go beyond buffer end 2018-03-12 07:47:07 +01:00
transfer.h HTTP: allow "header;" to replace an internal header with a blank one 2018-03-11 11:46:10 +01:00
url.c NO_PROXY: fix for IPv6 numericals in the URL 2018-03-04 19:50:48 +01:00
url.h setopt: reintroduce non-static Curl_vsetopt() for OS400 support 2018-01-13 01:28:19 +01:00
urldata.h spelling fixes 2018-02-23 23:29:01 +00:00
version.c libssh: added SFTP support 2017-12-01 17:38:37 +01:00
warnless.c CURL_SIZEOF_LONG: removed, use only SIZEOF_LONG 2017-08-17 10:27:00 +02:00
warnless.h unit1309: fix warning on Windows x64 2018-02-28 20:04:48 +01:00
wildcard.c
wildcard.h
x509asn1.c x509asn1: fix implicit-fallthrough warning with GCC 7 2017-06-03 20:10:52 +02:00
x509asn1.h