#1264 Glob parsing bug leads to strange behavior, corruption, DoS (segfault)

closed-fixed
None
5
2014-08-16
2013-08-15
Will Dietz
No

Description

Overview

The glob_range() function in tool_urlglob.c fails to handle errors from subsquent glob parsing which allows crafted URLs to cause a variety of undesirable behavior including corruption and DoS (crash).

Details

The relevant code is at tool_urlglob.c:272:

    res = glob_word(glob, c, pos + (c - pattern), &wordamount);
    if(res == GLOB_ERROR) {
      wordamount = 1;
      res = GLOB_OK;
    }

As shown above, the code ignores errors returned from attempts to parse out globs in the remainder of the URL. This means that malformed glob patterns following a range pattern will have the resulting parse error ignored and attempt to use incomplete or invalid 'glob' datastructure when generating candidate URL's.

Reproduction:

Below are listed example invocations that use this bug to cause undesirable behaviors, which are divided into the faulting glob type:

Invalid set glob

Missing ']' or set glob crosses boundary for too many globs:

$ curl "http://localhost/[a-b]{"
$ curl "http://localhost/[a-b]{}{}{}{}{}{}{}{}{}"

Results in crash or attempt to access URL's with sprintf'd NULL's present, as in the following:

$ curl "http://localhost/[a-b]{}{}{}{}{"
[1/2]: http://localhost/a(nil)(nil)(nil --> <stdout>
--_curl_--http://localhost/a(nil)(nil)(nil
curl: (7) Failed connect to localhost:80; Connection refused

[2/2]: http://localhost/a(nil)(nil)(nil --> <stdout>
--_curl_--http://localhost/a(nil)(nil)(nil
curl: (7) Failed connect to localhost:80; Connection refused

Invalid range glob

Missing '}' or range glob crosses boundary for too many globs:

$ curl "http://localhost/[a-b]["
$ curl "http://localhost/[a-b]{}{}{}{}{}{}{}{}[a-b]"

Gives the following output:

internal error: invalid pattern type (0)
curl: (2) Failed initialization

Impact

Programs using curl with globbing enabled may be crashable or worse if the user can control the URL given. Note that since libcurl does not contain the globbing logic (AFAIK) this is only an issue for the command-line curl and applications which use exec() to invoke it.

The above inputs cause bad behavior in versions of curl including 7.19.7, 7.31.0, 7.32.0, and the latest git (d5e2d0b).

Discussion

  • Daniel Stenberg

    Daniel Stenberg - 2013-08-15
    • status: open --> open-confirmed
    • assigned_to: Daniel Stenberg
     
  • Daniel Stenberg

    Daniel Stenberg - 2013-08-15

    I can repeat it and I have a fix pending...

     
  • Daniel Stenberg

    Daniel Stenberg - 2013-08-18

    Fixed in git, commit 5ca96cb84410

     
  • Daniel Stenberg

    Daniel Stenberg - 2013-08-18
    • status: open-confirmed --> closed-fixed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks