The glob_range() function in tool_urlglob.c fails to handle errors from subsquent glob parsing which allows crafted URLs to cause a variety of undesirable behavior including corruption and DoS (crash).
The relevant code is at tool_urlglob.c:272:
res = glob_word(glob, c, pos + (c - pattern), &wordamount); if(res == GLOB_ERROR) { wordamount = 1; res = GLOB_OK; }
As shown above, the code ignores errors returned from attempts to parse out globs in the remainder of the URL. This means that malformed glob patterns following a range pattern will have the resulting parse error ignored and attempt to use incomplete or invalid 'glob' datastructure when generating candidate URL's.
Below are listed example invocations that use this bug to cause undesirable behaviors, which are divided into the faulting glob type:
Missing ']' or set glob crosses boundary for too many globs:
$ curl "http://localhost/[a-b]{" $ curl "http://localhost/[a-b]{}{}{}{}{}{}{}{}{}"
Results in crash or attempt to access URL's with sprintf'd NULL's present, as in the following:
$ curl "http://localhost/[a-b]{}{}{}{}{" [1/2]: http://localhost/a(nil)(nil)(nil --> <stdout> --_curl_--http://localhost/a(nil)(nil)(nil curl: (7) Failed connect to localhost:80; Connection refused [2/2]: http://localhost/a(nil)(nil)(nil --> <stdout> --_curl_--http://localhost/a(nil)(nil)(nil curl: (7) Failed connect to localhost:80; Connection refused
Missing '}' or range glob crosses boundary for too many globs:
$ curl "http://localhost/[a-b][" $ curl "http://localhost/[a-b]{}{}{}{}{}{}{}{}[a-b]"
Gives the following output:
internal error: invalid pattern type (0) curl: (2) Failed initialization
Programs using curl with globbing enabled may be crashable or worse if the user can control the URL given. Note that since libcurl does not contain the globbing logic (AFAIK) this is only an issue for the command-line curl and applications which use exec() to invoke it.
The above inputs cause bad behavior in versions of curl including 7.19.7, 7.31.0, 7.32.0, and the latest git (d5e2d0b).
Similar to previously-fixed bug: http://sourceforge.net/p/curl/bugs/1129/
I can repeat it and I have a fix pending...
Fixed in git, commit 5ca96cb84410