summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Vlasenko2014-02-03 14:09:42 +0100
committerDenys Vlasenko2014-02-03 14:09:42 +0100
commitd353bfff467517608af7468198431d32406bb943 (patch)
treec10aca8d6ca2f3e39f3e8d474b0118d39491871c
parent69a12fa7906d2dcdb5d8e124643a4e0f7865417a (diff)
downloadbusybox-d353bfff467517608af7468198431d32406bb943.zip
busybox-d353bfff467517608af7468198431d32406bb943.tar.gz
wget: fix use-after-free of ->user. Closes 6836
function old new delta wget_main 2207 2223 +16 parse_url 339 353 +14 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--networking/wget.c16
1 files changed, 9 insertions, 7 deletions
diff --git a/networking/wget.c b/networking/wget.c
index d6c509e..7ca947a 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -46,7 +46,7 @@
struct host_info {
char *allocated;
const char *path;
- const char *user;
+ char *user;
char *host;
int port;
smallint is_ftp;
@@ -322,9 +322,6 @@ static void parse_url(const char *src_url, struct host_info *h)
h->path = sp;
}
- // We used to set h->user to NULL here, but this interferes
- // with handling of code 302 ("object was moved")
-
sp = strrchr(h->host, '@');
if (sp != NULL) {
// URL-decode "user:password" string before base64-encoding:
@@ -333,11 +330,13 @@ static void parse_url(const char *src_url, struct host_info *h)
// which decodes to "test:my pass".
// Standard wget and curl do this too.
*sp = '\0';
- h->user = percent_decode_in_place(h->host, /*strict:*/ 0);
+ free(h->user);
+ h->user = xstrdup(percent_decode_in_place(h->host, /*strict:*/ 0));
h->host = sp + 1;
}
-
- sp = h->host;
+ /* else: h->user remains NULL, or as set by original request
+ * before redirect (if we are here after a redirect).
+ */
}
static char *gethdr(FILE *fp)
@@ -880,6 +879,7 @@ However, in real world it was observed that some web servers
} else {
parse_url(str, &target);
if (!use_proxy) {
+ /* server.user remains untouched */
free(server.allocated);
server.allocated = NULL;
server.host = target.host;
@@ -929,6 +929,8 @@ However, in real world it was observed that some web servers
free(server.allocated);
free(target.allocated);
+ free(server.user);
+ free(target.user);
free(fname_out_alloc);
free(redirected_path);
}