From: hniksic Date: Sat, 7 May 2005 01:06:26 +0000 (-0700) Subject: [svn] Prevent newlines in FTP command arguments causing inadvertent sending of X-Git-Tag: v1.13~1072 X-Git-Url: http://sjero.net/git/?p=wget;a=commitdiff_plain;h=9bdeaf453d671a688f85e856c525c494cd542014 [svn] Prevent newlines in FTP command arguments causing inadvertent sending of multiple FTP commands. --- diff --git a/src/ChangeLog b/src/ChangeLog index d5044c72..29ab9f30 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2005-05-07 Hrvoje Niksic + + * ftp-basic.c (ftp_request): Prevent newlines in VALUE causing + inadvertent sending of multiple FTP commands. + 2005-05-07 Hrvoje Niksic * url.c (decide_copy_method): Never cause reencode_escapes to diff --git a/src/ftp-basic.c b/src/ftp-basic.c index c6df9b88..379a6eab 100644 --- a/src/ftp-basic.c +++ b/src/ftp-basic.c @@ -103,7 +103,27 @@ ftp_request (const char *command, const char *value) { char *res; if (value) - res = concat_strings (command, " ", value, "\r\n", (char *) 0); + { + /* Check for newlines in VALUE (possibly injected by the %0A URL + escape) making the callers inadvertently send multiple FTP + commands at once. Without this check an attacker could + intentionally redirect to ftp://server/fakedir%0Acommand.../ + and execute arbitrary FTP command on a remote FTP server. */ + if (strpbrk (value, "\r\n")) + { + /* Copy VALUE to the stack and modify CR/LF to space. */ + char *defanged, *p; + STRDUP_ALLOCA (defanged, value); + for (p = defanged; *p; p++) + if (*p == '\r' || *p == '\n') + *p = ' '; + DEBUGP (("\nDetected newlines in %s \"%s\"; changing to %s \"%s\"\n", + command, escnonprint (value), command, escnonprint (defanged))); + /* Make VALUE point to the defanged copy of the string. */ + value = defanged; + } + res = concat_strings (command, " ", value, "\r\n", (char *) 0); + } else res = concat_strings (command, "\r\n", (char *) 0); if (opt.server_response)