[svn] Don't xfree() the line returned by ftp_response if the returned code is not

[wget] / src / ftp-basic.c

diff --git a/src/ftp-basic.c b/src/ftp-basic.c
index c6df9b88f357798faf0f47600aa9aad5c1c16bee..5c38be024fbb40838957cd009fecbdbe9567d235 100644 (file)
--- a/src/ftp-basic.c
+++ b/src/ftp-basic.c
@@ -57,7 +57,11 @@ char ftp_last_respline[128];
 /* Get the response of FTP server and allocate enough room to handle
    it.  <CR> and <LF> characters are stripped from the line, and the
    line is 0-terminated.  All the response lines but the last one are
-   skipped.  The last line is determined as described in RFC959.  */
+   skipped.  The last line is determined as described in RFC959.
+
+   If the line is successfully read, FTPOK is returned, and *ret_line
+   is assigned a freshly allocated line.  Otherwise, FTPRERR is
+   returned, and the value of *ret_line should be ignored.  */
 
 uerr_t
 ftp_response (int fd, char **ret_line)
@@ -103,7 +107,27 @@ ftp_request (const char *command, const char *value)
 {
   char *res;
   if (value)
-    res = concat_strings (command, " ", value, "\r\n", (char *) 0);
+    {
+      /* Check for newlines in VALUE (possibly injected by the %0A URL
+        escape) making the callers inadvertently send multiple FTP
+        commands at once.  Without this check an attacker could
+        intentionally redirect to ftp://server/fakedir%0Acommand.../
+        and execute arbitrary FTP command on a remote FTP server.  */
+      if (strpbrk (value, "\r\n"))
+       {
+         /* Copy VALUE to the stack and modify CR/LF to space. */
+         char *defanged, *p;
+         STRDUP_ALLOCA (defanged, value);
+         for (p = defanged; *p; p++)
+           if (*p == '\r' || *p == '\n')
+             *p = ' ';
+         DEBUGP (("\nDetected newlines in %s \"%s\"; changing to %s \"%s\"\n",
+                  command, escnonprint (value), command, escnonprint (defanged)));
+         /* Make VALUE point to the defanged copy of the string. */
+         value = defanged;
+       }
+      res = concat_strings (command, " ", value, "\r\n", (char *) 0);
+    }
   else
     res = concat_strings (command, "\r\n", (char *) 0);
   if (opt.server_response)
@@ -150,10 +174,7 @@ ftp_login (int csock, const char *acc, const char *pass)
   /* Get appropriate response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   /* An unprobable possibility of logging without a password.  */
   if (*respline == '2')
     {
@@ -217,10 +238,7 @@ ftp_login (int csock, const char *acc, const char *pass)
   /* Get appropriate response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline != '2')
     {
       xfree (respline);
@@ -295,7 +313,6 @@ ftp_port (int csock, int *local_sock)
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
     {
-      xfree (respline);
       fd_close (*local_sock);
       return err;
     }
@@ -388,7 +405,6 @@ ftp_lprt (int csock, int *local_sock)
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
     {
-      xfree (respline);
       fd_close (*local_sock);
       return err;
     }
@@ -469,7 +485,6 @@ ftp_eprt (int csock, int *local_sock)
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
     {
-      xfree (respline);
       fd_close (*local_sock);
       return err;
     }
@@ -513,10 +528,7 @@ ftp_pasv (int csock, ip_address *addr, int *port)
   /* Get the server response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline != '2')
     {
       xfree (respline);
@@ -583,10 +595,7 @@ ftp_lpsv (int csock, ip_address *addr, int *port)
   /* Get the server response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline != '2')
     {
       xfree (respline);
@@ -748,10 +757,7 @@ ftp_epsv (int csock, ip_address *ip, int *port)
   /* Get the server response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline != '2')
     {
       xfree (respline);
@@ -847,10 +853,7 @@ ftp_type (int csock, int type)
   /* Get appropriate response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline != '2')
     {
       xfree (respline);
@@ -882,10 +885,7 @@ ftp_cwd (int csock, const char *dir)
   /* Get appropriate response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline == '5')
     {
       xfree (respline);
@@ -920,10 +920,7 @@ ftp_rest (int csock, wgint offset)
   /* Get appropriate response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline != '3')
     {
       xfree (respline);
@@ -954,10 +951,7 @@ ftp_retr (int csock, const char *file)
   /* Get appropriate response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline == '5')
     {
       xfree (respline);
@@ -994,10 +988,7 @@ ftp_list (int csock, const char *file)
   /* Get appropriate respone.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline == '5')
     {
       xfree (respline);
@@ -1034,10 +1025,7 @@ ftp_syst (int csock, enum stype *server_type)
   /* Get appropriate response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline == '5')
     {
       xfree (respline);
@@ -1090,10 +1078,7 @@ ftp_pwd (int csock, char **pwd)
   /* Get appropriate response.  */
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
-    {
-      xfree (respline);
-      return err;
-    }
+    return err;
   if (*respline == '5')
     {
       xfree (respline);
@@ -1138,7 +1123,6 @@ ftp_size (int csock, const char *file, wgint *size)
   err = ftp_response (csock, &respline);
   if (err != FTPOK)
     {
-      xfree (respline);
       *size = 0;
       return err;
     }