Description

Overview

The glob_range() function in tool_urlglob.c fails to handle errors from subsquent glob parsing which allows crafted URLs to cause a variety of undesirable behavior including corruption and DoS (crash).

Details

The relevant code is at tool_urlglob.c:272:

    res = glob_word(glob, c, pos + (c - pattern), &wordamount);
    if(res == GLOB_ERROR) {
      wordamount = 1;
      res = GLOB_OK;
    }

As shown above, the code ignores errors returned from attempts to parse out globs in the remainder of the URL. This means that malformed glob patterns following a range pattern will have the resulting parse error ignored and attempt to use incomplete or invalid 'glob' datastructure when generating candidate URL's.

Reproduction:

Below are listed example invocations that use this bug to cause undesirable behaviors, which are divided into the faulting glob type:

Invalid set glob

Missing ']' or set glob crosses boundary for too many globs:

$ curl "http://localhost/[a-b]{"
$ curl "http://localhost/[a-b]{}{}{}{}{}{}{}{}{}"

Results in crash or attempt to access URL's with sprintf'd NULL's present, as in the following:

$ curl "http://localhost/[a-b]{}{}{}{}{"
[1/2]: http://localhost/a(nil)(nil)(nil --> <stdout>
--_curl_--http://localhost/a(nil)(nil)(nil
curl: (7) Failed connect to localhost:80; Connection refused

[2/2]: http://localhost/a(nil)(nil)(nil --> <stdout>
--_curl_--http://localhost/a(nil)(nil)(nil
curl: (7) Failed connect to localhost:80; Connection refused

Invalid range glob

Missing '}' or range glob crosses boundary for too many globs:

$ curl "http://localhost/[a-b]["
$ curl "http://localhost/[a-b]{}{}{}{}{}{}{}{}[a-b]"

Gives the following output:

internal error: invalid pattern type (0)
curl: (2) Failed initialization

Impact

Programs using curl with globbing enabled may be crashable or worse if the user can control the URL given. Note that since libcurl does not contain the globbing logic (AFAIK) this is only an issue for the command-line curl and applications which use exec() to invoke it.

The above inputs cause bad behavior in versions of curl including 7.19.7, 7.31.0, 7.32.0, and the latest git (d5e2d0b).

Discussion

Will Dietz - 2013-08-15

Similar to previously-fixed bug: http://sourceforge.net/p/curl/bugs/1129/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2013-08-15

status: open --> open-confirmed

assigned_to: Daniel Stenberg
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2013-08-15

I can repeat it and I have a fix pending...

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2013-08-18

Fixed in git, commit 5ca96cb84410

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Stenberg - 2013-08-18

status: open-confirmed --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Glob parsing bug leads to strange behavior, corruption, DoS (segfault)

curl is at curl.haxx.se

Searches

Help

#1264 Glob parsing bug leads to strange behavior, corruption, DoS (segfault)