curl tool in windows incorrectly sanitizes user-specified output pathname #624

Closed
jay opened this Issue Feb 1, 2016 · 0 comments

Projects

None yet

1 participant

@jay
Member
jay commented Feb 1, 2016

Reported via e-mail by Octavio Schroeder:

C:\temp>curl --version
curl 7.47.0 (x86_64-pc-win32) libcurl/7.47.0 OpenSSL/1.0.2f zlib/1.2.8 WinIDN libssh2/1.6.0 nghttp2/1.7.0
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL libz TLS-SRP HTTP2 

Tried downloading a file as follows:

curl www.google.com -o c:\temp\google.html

The output does not get saved in a file called google.html in the
C:\temp folder but 'c__temp_google.html' in the current working folder.
@jay jay added a commit that referenced this issue Feb 1, 2016
@jay jay tool_operate: Don't sanitize --output path (Windows)
Due to path separators being incorrectly sanitized in --output
pathnames, eg -o c:\foo => c__foo

This is a partial revert of 3017d8a until I write a proper fix. The
remote-name will continue to be sanitized, but if the user specified an
--output with string replacement (#1, #2, etc) that data is unsanitized
until I finish a fix.

Bug: #624
Reported-by: Octavio Schroeder
2b6dadc
@jay jay self-assigned this Feb 1, 2016
@jay jay added the cmdline tool label Feb 1, 2016
@jay jay added a commit that closed this issue Feb 5, 2016
@jay jay tool_doswin: Improve sanitization processing
- Add unit test 1604 to test the sanitize_file_name function.

- Use -DCURL_STATICLIB when building libcurltool for unit testing.

- Better detection of reserved DOS device names.

- New flags to modify sanitize behavior:

SANITIZE_ALLOW_COLONS: Allow colons
SANITIZE_ALLOW_PATH: Allow path separators and colons
SANITIZE_ALLOW_RESERVED: Allow reserved device names
SANITIZE_ALLOW_TRUNCATE: Allow truncating a long filename

- Restore sanitization of banned characters from user-specified outfile.

Prior to this commit sanitization of a user-specified outfile was
temporarily disabled in 2b6dadc because there was no way to allow path
separators and colons through while replacing other banned characters.
Now in such a case we call the sanitize function with
SANITIZE_ALLOW_PATH which allows path separators and colons to pass
through.


Closes #624
Reported-by: Octavio Schroeder
4520534
@jay jay closed this in 4520534 Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment