Avoid information leakage with badly formed download header
Parsing of Content-Disposition relies on well formed headers. A malformed header such as: Content-Disposition=""; will result in a strnduppayload->content_disp_name, -1, ptr), which will copy memory until it hits a \0. Prevent this by only copying the value if it exists. Fixes FS#73704. Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Allan McRae
parent
632eb9739d
commit
40583ebe89
1 changed files with 5 additions and 2 deletions
|
|
@ -295,10 +295,13 @@ static size_t dload_parseheader_cb(void *ptr, size_t size, size_t nmemb, void *u
|
|||
endptr--;
|
||||
}
|
||||
|
||||
/* avoid information leakage with badly formed headers */
|
||||
if(endptr > fptr) {
|
||||
STRNDUP(payload->content_disp_name, fptr, endptr - fptr + 1,
|
||||
RET_ERR(payload->handle, ALPM_ERR_MEMORY, realsize));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
curl_easy_getinfo(payload->curl, CURLINFO_RESPONSE_CODE, &respcode);
|
||||
if(payload->respcode != respcode) {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue