From patchwork Tue Jun 4 17:57:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthew DeVore X-Patchwork-Id: 10975867 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 60A7813AD for ; Tue, 4 Jun 2019 17:57:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 50CD728847 for ; Tue, 4 Jun 2019 17:57:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4535728849; Tue, 4 Jun 2019 17:57:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E46172882A for ; Tue, 4 Jun 2019 17:57:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726538AbfFDR5Z (ORCPT ); Tue, 4 Jun 2019 13:57:25 -0400 Received: from mail-pf1-f202.google.com ([209.85.210.202]:43386 "EHLO mail-pf1-f202.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725933AbfFDR5Y (ORCPT ); Tue, 4 Jun 2019 13:57:24 -0400 Received: by mail-pf1-f202.google.com with SMTP id j7so5617152pfn.10 for ; Tue, 04 Jun 2019 10:57:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc:content-transfer-encoding; bh=W+2KmQEjTc0Vs4CfPldSdvknXxurbhKd2I7SJQ1KzVI=; b=ogXhZ/Z3iq0XdgMteGa4gZR4McJm5M8/bPjTi3vWP+hzZCB71may8YHeRei26gkh0b fcZacFDqSzjwKE27sKoPMeUUHM8MNIvYMWOCbBj/upXrr50OqGTPIuyCd+VVVfoN19TC Ds1o5bSfURu8506obdckEXy96vicN5GBsK9ByUbLJCR//kIoa6qfXe/+Bl2lgjb3JRMp eFPuXPxrotJzpzKOEzgF5RmuV6Up/G+bPnU0w9YqYJXaFHjCpuIR9s3nQ2NAqId57biw /ZmrMAcwr1Bhx6aJGxAgQlqXgxgGEntVQ7wHPCiHZQYlDLk4WXgX/Y1ul2IgFJ+YeBeX leHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc:content-transfer-encoding; bh=W+2KmQEjTc0Vs4CfPldSdvknXxurbhKd2I7SJQ1KzVI=; b=jdOBLCEfHlnMSbG+0Q3O7/seopDdooLxJwTy+vtD+3653Mu1jYxfXFAAawP/wJNlxZ TGxpdni4uB/bVZ2b0jsArHXN62G9fu76Pm0sGexwMrK1mqCsXeChEhAsRGhek3iR3eGg DSDfycsO07bEHZMAJTdW2tp4uDi3vcjLcLv7W+WGuYL58uzd2NT0m4GICXLExYRYBJrI PfzK9IwUrSupCfoirZLyp66Hc9J0HbrtW0o2SnlHSC9tlqUF7T2dhzmBesIwqMU0zOly ScQsw5fcZKVQ5KRUnQVtIChpBc1NrLhvKOwMHynrQuFb4bENpiwzx4IuhHQSqKQ5QAmp mdYw== X-Gm-Message-State: APjAAAVaVG/+10zL61BL4fOTh859MCjherTBl+ZG+qcHGAhBFcES3HPK DZ3XpHLEqBhwid239G+O05XS6xYstSN5HolcgOBiwf/CyXOAwH0YUExQAA3/zTDb5X+8l5QOHzU fVC3I60mnirfVvNFTJ8BByLYzFGqkmqAyGraoWL1sC1VHZnFB6lVda36zko0= X-Google-Smtp-Source: APXvYqx4DThlu7M0tBID7bCdZjPJbh8wJQhxnFAeyZSCc/kD+oZXDNHvHUeYMRLDtJyMcs0/8W3K2THpMlgP X-Received: by 2002:a63:ed16:: with SMTP id d22mr37026410pgi.35.1559671043528; Tue, 04 Jun 2019 10:57:23 -0700 (PDT) Date: Tue, 4 Jun 2019 10:57:04 -0700 In-Reply-To: Message-Id: <9628f0bfeda578a1c7d157d61b87f5c430567d74.1559670300.git.matvore@google.com> Mime-Version: 1.0 References: X-Mailer: git-send-email 2.22.0.rc1.311.g5d7573a151-goog Subject: [PATCH v2 1/2] url: do not read past end of buffer From: Matthew DeVore To: git@vger.kernel.org Cc: Matthew DeVore , sandals@crustytoothpaste.net, jeffhostetler@microsoft.com, l.s.r@web.de, gitster@pobox.com, spearce@spearce.org, jrn@google.com Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP url_decode_internal could have been tricked into reading past the length of the **query buffer if there are fewer than 2 characters after a % (in a null-terminated string, % would have to be the last character). Prevent this from happening by checking len before decoding the % sequence. Helped-by: René Scharfe Signed-off-by: Matthew DeVore --- url.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/url.c b/url.c index 25576c390b..9ea9d5611b 100644 --- a/url.c +++ b/url.c @@ -39,21 +39,21 @@ static char *url_decode_internal(const char **query, int len, unsigned char c = *q; if (!c) break; if (stop_at && strchr(stop_at, c)) { q++; len--; break; } - if (c == '%') { + if (c == '%' && (len < 0 || len >= 3)) { int val = hex2chr(q + 1); if (0 <= val) { strbuf_addch(out, val); q += 3; len -= 3; continue; } } if (decode_plus && c == '+') From patchwork Tue Jun 4 17:57:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthew DeVore X-Patchwork-Id: 10975869 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C361413AD for ; Tue, 4 Jun 2019 17:57:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B47A62267B for ; Tue, 4 Jun 2019 17:57:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A909C2881A; Tue, 4 Jun 2019 17:57:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.5 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, USER_IN_DEF_DKIM_WL autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 57AB628733 for ; Tue, 4 Jun 2019 17:57:28 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726554AbfFDR51 (ORCPT ); Tue, 4 Jun 2019 13:57:27 -0400 Received: from mail-qk1-f201.google.com ([209.85.222.201]:47659 "EHLO mail-qk1-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726399AbfFDR51 (ORCPT ); Tue, 4 Jun 2019 13:57:27 -0400 Received: by mail-qk1-f201.google.com with SMTP id l185so4273503qkd.14 for ; Tue, 04 Jun 2019 10:57:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:in-reply-to:message-id:mime-version:references:subject:from:to :cc; bh=JURdK7/4ldjw3H/6O9EyWWraJAfMhqF8Gi4ilftxmZg=; b=XZ7BCkAqd4LvX5TMKHRAaBdIKT5mA5/h+goOTZ4PUfFW7nNBvx+yIx0hQv4nW6UbW7 DvTvPfz8CbcPn/ZAqsldaBbtxZPFtWGHQGTuQIhvHOtONv16DKcwQkGMrdv7qu84mK4m /iFCxrNReecD4hczC6QEJZVU8Qbww+cuuZPdrEM8VTWRf21ByuRB3ZpLY/q2kave04mg Emvx9vtTuVWVy1yOg0ONwxdiXc3P3qtfl4Lz7xwHK+V+iYIJWx0DX+wX6b/iZtn4KOqk kAnxM/t4uphmRDCl7fJSq/ONgOURldCNzc0krqN4qQHoj1C4cUt8hWO7GmSAQhepzVQG aPMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:in-reply-to:message-id:mime-version :references:subject:from:to:cc; bh=JURdK7/4ldjw3H/6O9EyWWraJAfMhqF8Gi4ilftxmZg=; b=Rq8GAJ0PWGEf7BeILKMgaeMbsdyiMNLh7kiMyqblxDVhYG1DZnCB1IflCNvFSoSCEz /KZNdptsfYq7mUoE+GZFBQD9Y46rG5ruAhUyw4YgQQeQFV2pmWjHWC5Oo+ooMQfuXv50 NG5mqHmWSDHCWh7Z1eHNoZIGRsEdmzwGmmJJnsqQJZy+aQrAxBpjO5YrZwtopAXbaPBV 4A1HBI4NyOOZjIT+L7keQ9oPTbwfv53aQ7QISHcWNeM9h+ed13djaZFg9N2jzNkciyKl Q+OXvbmmuzDdDl5k3m4gSJ8fOy2bo3BOw7IE/CMO1YcuPcWcrIgLVhW7ZzUDxhSZy0Mj 2Pbw== X-Gm-Message-State: APjAAAWqCb2k42c29buQvrbb5+tcrPYuXy24i2Lcvyin0NCgyFlTOpvu ewNHLL11fp9TwEjXL3KWuoGYf8d7ftxKn6TzZolGUEZeCJ6xRywy+d7L+DSU6SY0a0HkKu6wNO+ NEQCdfNvSDVVEalHY8tH9ikh9ngAcorpHaonXpekEwekM3xPs9IwCRQ6N17A= X-Google-Smtp-Source: APXvYqzBQKZGAow6kqRK4Efw2aukSJSHaXTbW27+WooWpV0ngVpsY1cU3/IK/ynhumW6r/T36OBwlVgCl6zu X-Received: by 2002:a0c:9e55:: with SMTP id z21mr28653380qve.45.1559671046172; Tue, 04 Jun 2019 10:57:26 -0700 (PDT) Date: Tue, 4 Jun 2019 10:57:05 -0700 In-Reply-To: Message-Id: Mime-Version: 1.0 References: X-Mailer: git-send-email 2.22.0.rc1.311.g5d7573a151-goog Subject: [PATCH v2 2/2] url: do not allow %00 to represent NUL in URLs From: Matthew DeVore To: git@vger.kernel.org Cc: Matthew DeVore , sandals@crustytoothpaste.net, jeffhostetler@microsoft.com, l.s.r@web.de, gitster@pobox.com, spearce@spearce.org, jrn@google.com Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP There is no reason to allow %00 to terminate a string, so do not allow it. Otherwise, we end up returning arbitrary content in the string (that which is after the %00) which is effectively hidden from callers and can escape sanity checks and validation, and possible be used in tandem with a security vulnerability to introduce a payload. Helped-by: brian m. carlson Signed-off-by: Matthew DeVore --- url.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/url.c b/url.c index 9ea9d5611b..1b8ef78cea 100644 --- a/url.c +++ b/url.c @@ -41,21 +41,21 @@ static char *url_decode_internal(const char **query, int len, if (!c) break; if (stop_at && strchr(stop_at, c)) { q++; len--; break; } if (c == '%' && (len < 0 || len >= 3)) { int val = hex2chr(q + 1); - if (0 <= val) { + if (0 < val) { strbuf_addch(out, val); q += 3; len -= 3; continue; } } if (decode_plus && c == '+') strbuf_addch(out, ' '); else