From d353bfff467517608af7468198431d32406bb943 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Mon, 3 Feb 2014 14:09:42 +0100
Subject: wget: fix use-after-free of ->user. Closes 6836

function                                             old     new   delta
wget_main                                           2207    2223     +16
parse_url                                            339     353     +14

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
 networking/wget.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/networking/wget.c b/networking/wget.c
index d6c509edc..7ca947aec 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -46,7 +46,7 @@
 struct host_info {
 	char *allocated;
 	const char *path;
-	const char *user;
+	char       *user;
 	char       *host;
 	int         port;
 	smallint    is_ftp;
@@ -322,9 +322,6 @@ static void parse_url(const char *src_url, struct host_info *h)
 		h->path = sp;
 	}
 
-	// We used to set h->user to NULL here, but this interferes
-	// with handling of code 302 ("object was moved")
-
 	sp = strrchr(h->host, '@');
 	if (sp != NULL) {
 		// URL-decode "user:password" string before base64-encoding:
@@ -333,11 +330,13 @@ static void parse_url(const char *src_url, struct host_info *h)
 		// which decodes to "test:my pass".
 		// Standard wget and curl do this too.
 		*sp = '\0';
-		h->user = percent_decode_in_place(h->host, /*strict:*/ 0);
+		free(h->user);
+		h->user = xstrdup(percent_decode_in_place(h->host, /*strict:*/ 0));
 		h->host = sp + 1;
 	}
-
-	sp = h->host;
+	/* else: h->user remains NULL, or as set by original request
+	 * before redirect (if we are here after a redirect).
+	 */
 }
 
 static char *gethdr(FILE *fp)
@@ -880,6 +879,7 @@ However, in real world it was observed that some web servers
 				} else {
 					parse_url(str, &target);
 					if (!use_proxy) {
+						/* server.user remains untouched */
 						free(server.allocated);
 						server.allocated = NULL;
 						server.host = target.host;
@@ -929,6 +929,8 @@ However, in real world it was observed that some web servers
 
 	free(server.allocated);
 	free(target.allocated);
+	free(server.user);
+	free(target.user);
 	free(fname_out_alloc);
 	free(redirected_path);
 }
-- 
cgit v1.2.3