diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2014-02-03 14:09:42 +0100 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2014-02-03 14:09:42 +0100 |
| commit | d353bfff467517608af7468198431d32406bb943 (patch) | |
| tree | c10aca8d6ca2f3e39f3e8d474b0118d39491871c | |
| parent | 69a12fa7906d2dcdb5d8e124643a4e0f7865417a (diff) | |
| download | busybox-d353bfff467517608af7468198431d32406bb943.tar.gz | |
wget: fix use-after-free of ->user. Closes 6836
function old new delta
wget_main 2207 2223 +16
parse_url 339 353 +14
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | networking/wget.c | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/networking/wget.c b/networking/wget.c index d6c509edc..7ca947aec 100644 --- a/networking/wget.c +++ b/networking/wget.c @@ -46,7 +46,7 @@ struct host_info { char *allocated; const char *path; - const char *user; + char *user; char *host; int port; smallint is_ftp; @@ -322,9 +322,6 @@ static void parse_url(const char *src_url, struct host_info *h) h->path = sp; } - // We used to set h->user to NULL here, but this interferes - // with handling of code 302 ("object was moved") - sp = strrchr(h->host, '@'); if (sp != NULL) { // URL-decode "user:password" string before base64-encoding: @@ -333,11 +330,13 @@ static void parse_url(const char *src_url, struct host_info *h) // which decodes to "test:my pass". // Standard wget and curl do this too. *sp = '\0'; - h->user = percent_decode_in_place(h->host, /*strict:*/ 0); + free(h->user); + h->user = xstrdup(percent_decode_in_place(h->host, /*strict:*/ 0)); h->host = sp + 1; } - - sp = h->host; + /* else: h->user remains NULL, or as set by original request + * before redirect (if we are here after a redirect). + */ } static char *gethdr(FILE *fp) @@ -880,6 +879,7 @@ However, in real world it was observed that some web servers } else { parse_url(str, &target); if (!use_proxy) { + /* server.user remains untouched */ free(server.allocated); server.allocated = NULL; server.host = target.host; @@ -929,6 +929,8 @@ However, in real world it was observed that some web servers free(server.allocated); free(target.allocated); + free(server.user); + free(target.user); free(fname_out_alloc); free(redirected_path); } |