Skip to content

Commit 4520534

Browse files
jayjay
committed
tool_doswin: Improve sanitization processing
- Add unit test 1604 to test the sanitize_file_name function. - Use -DCURL_STATICLIB when building libcurltool for unit testing. - Better detection of reserved DOS device names. - New flags to modify sanitize behavior: SANITIZE_ALLOW_COLONS: Allow colons SANITIZE_ALLOW_PATH: Allow path separators and colons SANITIZE_ALLOW_RESERVED: Allow reserved device names SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename - Restore sanitization of banned characters from user-specified outfile. Prior to this commit sanitization of a user-specified outfile was temporarily disabled in 2b6dadc because there was no way to allow path separators and colons through while replacing other banned characters. Now in such a case we call the sanitize function with SANITIZE_ALLOW_PATH which allows path separators and colons to pass through. Closes #624 Reported-by: Octavio Schroeder
1 parent d49881c commit 4520534

File tree

10 files changed

+780
-129
lines changed

10 files changed

+780
-129
lines changed

src/Makefile.am

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -75,8 +75,9 @@ curl_DEPENDENCIES = $(top_builddir)/lib/libcurl.la
7575
# if unit tests are enabled, build a static library to link them with
7676
if BUILD_UNITTESTS
7777
noinst_LTLIBRARIES = libcurltool.la
78-
libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS)
79-
libcurltool_la_CFLAGS = -DUNITTESTS
78+
libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS) \
79+
-DCURL_STATICLIB -DUNITTESTS
80+
libcurltool_la_CFLAGS =
8081
libcurltool_la_LDFLAGS = -static $(LINKFLAGS)
8182
libcurltool_la_SOURCES = $(curl_SOURCES)
8283
endif

src/tool_cb_hdr.c

Lines changed: 22 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -115,24 +115,18 @@ size_t tool_header_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
115115
*/
116116
len = (ssize_t)cb - (p - str);
117117
filename = parse_filename(p, len);
118-
if(!filename)
119-
return failure;
120-
121-
#if defined(MSDOS) || defined(WIN32)
122-
if(sanitize_file_name(&filename)) {
123-
free(filename);
124-
return failure;
118+
if(filename) {
119+
outs->filename = filename;
120+
outs->alloc_filename = TRUE;
121+
outs->is_cd_filename = TRUE;
122+
outs->s_isreg = TRUE;
123+
outs->fopened = FALSE;
124+
outs->stream = NULL;
125+
hdrcbdata->honor_cd_filename = FALSE;
126+
break;
125127
}
126-
#endif /* MSDOS || WIN32 */
127-
128-
outs->filename = filename;
129-
outs->alloc_filename = TRUE;
130-
outs->is_cd_filename = TRUE;
131-
outs->s_isreg = TRUE;
132-
outs->fopened = FALSE;
133-
outs->stream = NULL;
134-
hdrcbdata->honor_cd_filename = FALSE;
135-
break;
128+
else
129+
return failure;
136130
}
137131
}
138132

@@ -207,6 +201,17 @@ static char *parse_filename(const char *ptr, size_t len)
207201
if(copy != p)
208202
memmove(copy, p, strlen(p) + 1);
209203

204+
#if defined(MSDOS) || defined(WIN32)
205+
{
206+
char *sanitized;
207+
SANITIZEcode sc = sanitize_file_name(&sanitized, copy, 0);
208+
Curl_safefree(copy);
209+
if(sc)
210+
return NULL;
211+
copy = sanitized;
212+
}
213+
#endif /* MSDOS || WIN32 */
214+
210215
/* in case we built debug enabled, we allow an evironment variable
211216
* named CURL_TESTDIR to prefix the given file name to put it into a
212217
* specific directory

0 commit comments

Comments
 (0)