Flawed dotdot removal from path when using an HTTP proxy

Tue, 23 Jul 2013 04:20:07 -0700 

Test 1231 doesn't work when using an external HTTP proxy.
The attached test 1232 reproduces the problem without requiring
an external HTTP proxy:

fk@r500 ~/git/curl/tests $./runtests.pl -a -n 1232
********* System characteristics ******** 
* curl 7.32.0-DEV (amd64-unknown-freebsd10.0) 
* libcurl/7.32.0-DEV OpenSSL/1.0.1e zlib/1.2.8 libidn/1.27
* Features: Debug TrackMemory IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 
* Host: r500.local
* System: FreeBSD r500.local 10.0-CURRENT FreeBSD 10.0-CURRENT #588 r+065751c: 
Mon Jul  8 15:08:08 CEST 2013     fk@r500.local:/usr/obj/usr/src/sys/ZOEY  amd64
* Server SSL:        ON   libcurl SSL:  ON 
* debug build:       ON   track memory: ON 
* valgrind:          OFF  HTTP IPv6     ON 
* FTP IPv6           ON   Libtool lib:  OFF
* Shared build:      no
* SSL library:       OpenSSL
* Ports:
*   HTTP/8990 FTP/8992 FTP2/8995 RTSP/9007 FTPS/8993 HTTPS/8991 
*   TFTP/8997 HTTP-IPv6/8994 RTSP-IPv6/9008 FTP-IPv6/8996 
*   GOPHER/9009 GOPHER-IPv6/9009
*   SSH/8999 SOCKS/9000 POP3/9001 IMAP/9003 SMTP/9005
*   POP3-IPv6/9002 IMAP-IPv6/9004 SMTP-IPv6/9006
*   HTTPTLS/9011 HTTPTLS-IPv6/9012 
*   HTTP-PIPE/9014 
***************************************** 
test 1232...[HTTP URL with dotdot removal from path using an HTTP proxy]

 1232: protocol FAILED:
--- log/check-expected  2013-07-13 14:59:23.777477791 +0200
+++ log/check-generated 2013-07-13 14:59:23.777477791 +0200
@@ -1,9 +1,9 @@
-GET http://test.remote.haxx.se.1232:8990/hej/but/1232?stupid=me/../1232 
HTTP/1.1
+GET 
http://test.remote.haxx.se.1232:8990/../../hej/but/hej/but/1232?stupid=me/../1232
 HTTP/1.1
 Host: test.remote.haxx.se.1232:8990
 Accept: */*
 Proxy-Connection: Keep-Alive
 
-GET http://test.remote.haxx.se.1232:8990/hej/but/12320001 HTTP/1.1
+GET 
http://test.remote.haxx.se.1232:8990/../../hej/but/who/../12320/hej/but/12320001
 HTTP/1.1
 Host: test.remote.haxx.se.1232:8990
 Accept: */*
 Proxy-Connection: Keep-Alive
TESTDONE: 1 tests were considered during 2 seconds.
TESTDONE: 0 tests out of 1 reported OK: 0%
TESTFAIL: These test cases failed: 1232 

I also attached a potential fix, but I suspect someone more familiar
with libcurl's internals could come up with a more elegant solution.

Finally there's a trivial comment fix for dotdot.c.

Fabian

Attachment: dotdot-removal-fix.tar.gz
Description: application/gzip

Attachment: signature.asc
Description: PGP signature

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Reply via email to