From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 16 Sep 2010 21:11:48 +0000 (+0200)
Subject: header_callback: strip off file path separated with backslashes
X-Git-Tag: curl-7_21_2~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=81f151c912105ded480c3c88a1be53ca345298a1;p=thirdparty%2Fcurl.git

header_callback: strip off file path separated with backslashes

If the filename contains a backslash, only use filename portion. The
idea is that even systems that don't handle backslashes as path
separators probably want that path removed for convenience.

This flaw is considered a security problem, see the curl security
vulnerability http://curl.haxx.se/docs/adv_20101013.html
---

diff --git a/src/main.c b/src/main.c
index 8572328cda..95b47ea3a2 100644
--- a/src/main.c
+++ b/src/main.c
@@ -4368,6 +4368,18 @@ parse_filename(char *ptr, size_t len)
     }
   }
 
+  /* If the filename contains a backslash, only use filename portion. The idea
+     is that even systems that don't handle backslashes as path separators
+     probably want the path removed for convenience. */
+  q = strrchr(p, '\\');
+  if (q) {
+    p = q+1;
+    if (!*p) {
+      free(copy);
+      return NULL;
+    }
+  }
+
   if(quote) {
     /* if the file name started with a quote, then scan for the end quote and
        stop there */