tool_doswin: Improve sanitization processing

- Add unit test 1604 to test the sanitize_file_name function. - Use -DCURL_STATICLIB when building libcurltool for unit testing. - Better detection of reserved DOS device names. - New flags to modify sanitize behavior: SANITIZE_ALLOW_COLONS: Allow colons SANITIZE_ALLOW_PATH: Allow path separators and colons SANITIZE_ALLOW_RESERVED: Allow reserved device names SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename - Restore sanitization of banned characters from user-specified outfile. Prior to this commit sanitization of a user-specified outfile was temporarily disabled in 2b6dadc because there was no way to allow path separators and colons through while replacing other banned characters. Now in such a case we call the sanitize function with SANITIZE_ALLOW_PATH which allows path separators and colons to pass through. Closes #624 Reported-by: Octavio Schroeder
curl · Feb 5, 2016 · 4520534 · 4520534
1 parent d49881c
commit 4520534
Show file tree

Hide file tree

Showing 10 changed files with 780 additions and 129 deletions.
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -75,8 +75,9 @@ curl_DEPENDENCIES = $(top_builddir)/lib/libcurl.la
 # if unit tests are enabled, build a static library to link them with
 if BUILD_UNITTESTS
 noinst_LTLIBRARIES = libcurltool.la
-libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS)
+libcurltool_la_CPPFLAGS = $(LIBMETALINK_CPPFLAGS) $(AM_CPPFLAGS) \
-libcurltool_la_CFLAGS = -DUNITTESTS
+                          -DCURL_STATICLIB -DUNITTESTS
+libcurltool_la_CFLAGS =
 libcurltool_la_LDFLAGS = -static $(LINKFLAGS)
 libcurltool_la_SOURCES = $(curl_SOURCES)
 endif

diff --git a/src/tool_cb_hdr.c b/src/tool_cb_hdr.c
@@ -115,24 +115,18 @@ size_t tool_header_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
       */
       len = (ssize_t)cb - (p - str);
       filename = parse_filename(p, len);
-      if(!filename)
+      if(filename) {
-        return failure;
+        outs->filename = filename;
-
+        outs->alloc_filename = TRUE;
-#if defined(MSDOS) || defined(WIN32)
+        outs->is_cd_filename = TRUE;
-      if(sanitize_file_name(&filename)) {
+        outs->s_isreg = TRUE;
-        free(filename);
+        outs->fopened = FALSE;
-        return failure;
+        outs->stream = NULL;
+        hdrcbdata->honor_cd_filename = FALSE;
+        break;
       }
-#endif /* MSDOS || WIN32 */
+      else
-
+        return failure;
-      outs->filename = filename;
-      outs->alloc_filename = TRUE;
-      outs->is_cd_filename = TRUE;
-      outs->s_isreg = TRUE;
-      outs->fopened = FALSE;
-      outs->stream = NULL;
-      hdrcbdata->honor_cd_filename = FALSE;
-      break;
     }
   }
 
@@ -207,6 +201,17 @@ static char *parse_filename(const char *ptr, size_t len)
   if(copy != p)
     memmove(copy, p, strlen(p) + 1);
 
+#if defined(MSDOS) || defined(WIN32)
+  {
+    char *sanitized;
+    SANITIZEcode sc = sanitize_file_name(&sanitized, copy, 0);
+    Curl_safefree(copy);
+    if(sc)
+      return NULL;
+    copy = sanitized;
+  }
+#endif /* MSDOS || WIN32 */
+
   /* in case we built debug enabled, we allow an evironment variable
    * named CURL_TESTDIR to prefix the given file name to put it into a
    * specific directory