From: Patrick Monnerat Date: Fri, 22 Sep 2017 00:08:29 +0000 (+0100) Subject: form/mime: field names are not allowed to contain zero-valued bytes. X-Git-Tag: curl-7_56_0~37 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee56fdb6910f6bf215eecede9e2e9bfc83cb5f29;p=thirdparty%2Fcurl.git form/mime: field names are not allowed to contain zero-valued bytes. Also suppress length argument of curl_mime_name() (names are always zero-terminated). --- diff --git a/docs/examples/multi-post.c b/docs/examples/multi-post.c index 93c78e98d9..95d71bea98 100644 --- a/docs/examples/multi-post.c +++ b/docs/examples/multi-post.c @@ -51,17 +51,17 @@ int main(void) /* Fill in the file upload field */ field = curl_mime_addpart(form); - curl_mime_name(field, "sendfile", CURL_ZERO_TERMINATED); + curl_mime_name(field, "sendfile"); curl_mime_filedata(field, "multi-post.c"); /* Fill in the filename field */ field = curl_mime_addpart(form); - curl_mime_name(field, "filename", CURL_ZERO_TERMINATED); + curl_mime_name(field, "filename"); curl_mime_data(field, "multi-post.c", CURL_ZERO_TERMINATED); /* Fill in the submit field too, even if this is rarely needed */ field = curl_mime_addpart(form); - curl_mime_name(field, "submit", CURL_ZERO_TERMINATED); + curl_mime_name(field, "submit"); curl_mime_data(field, "send", CURL_ZERO_TERMINATED); /* initialize custom header list (stating that Expect: 100-continue is not diff --git a/docs/examples/postit2.c b/docs/examples/postit2.c index ca5c77dc41..49391e1cdb 100644 --- a/docs/examples/postit2.c +++ b/docs/examples/postit2.c @@ -61,17 +61,17 @@ int main(int argc, char *argv[]) /* Fill in the file upload field */ field = curl_mime_addpart(form); - curl_mime_name(field, "sendfile", CURL_ZERO_TERMINATED); + curl_mime_name(field, "sendfile"); curl_mime_filedata(field, "postit2.c"); /* Fill in the filename field */ field = curl_mime_addpart(form); - curl_mime_name(field, "filename", CURL_ZERO_TERMINATED); + curl_mime_name(field, "filename"); curl_mime_data(field, "postit2.c", CURL_ZERO_TERMINATED); /* Fill in the submit field too, even if this is rarely needed */ field = curl_mime_addpart(form); - curl_mime_name(field, "submit", CURL_ZERO_TERMINATED); + curl_mime_name(field, "submit"); curl_mime_data(field, "send", CURL_ZERO_TERMINATED); /* initialize custom header list (stating that Expect: 100-continue is not diff --git a/docs/libcurl/curl_formadd.3 b/docs/libcurl/curl_formadd.3 index 652663b7c2..39a749b7c0 100644 --- a/docs/libcurl/curl_formadd.3 +++ b/docs/libcurl/curl_formadd.3 @@ -62,16 +62,15 @@ parts. .IP CURLFORM_COPYNAME followed by a string which provides the \fIname\fP of this part. libcurl copies the string so your application doesn't need to keep it around after -this function call. If the name isn't NUL-terminated, or if you'd -like it to contain zero bytes, you must set its length with -\fBCURLFORM_NAMELENGTH\fP. The copied data will be freed by -\fIcurl_formfree(3)\fP. +this function call. If the name isn't NUL-terminated, you must set its length +with \fBCURLFORM_NAMELENGTH\fP. The \fIname\fP is not allowed to contain +zero-valued bytes. The copied data will be freed by \fIcurl_formfree(3)\fP. .IP CURLFORM_PTRNAME followed by a string which provides the \fIname\fP of this part. libcurl will use the pointer and refer to the data in your application, so you must make sure it remains until curl no longer needs it. If the name -isn't NUL-terminated, or if you'd like it to contain zero -bytes, you must set its length with \fBCURLFORM_NAMELENGTH\fP. +isn't NUL-terminated, you must set its length with \fBCURLFORM_NAMELENGTH\fP. +The \fIname\fP is not allowed to contain zero-valued bytes. .IP CURLFORM_COPYCONTENTS followed by a pointer to the contents of this part, the actual data to send away. libcurl copies the provided data, so your application doesn't @@ -172,7 +171,8 @@ you've called \fIcurl_easy_cleanup(3)\fP for the curl handle. See example below. .SH AVAILABILITY -Deprecated in 7.56.0. +Deprecated in 7.56.0. Before this release, field names were allowed to +contain zero-valued bytes. .SH RETURN VALUE 0 means everything was ok, non-zero means an error occurred corresponding to a CURL_FORMADD_* constant defined in diff --git a/docs/libcurl/curl_mime_addpart.3 b/docs/libcurl/curl_mime_addpart.3 index 5ea8171dee..22350668a3 100644 --- a/docs/libcurl/curl_mime_addpart.3 +++ b/docs/libcurl/curl_mime_addpart.3 @@ -51,7 +51,7 @@ A mime part structure handle, or NULL upon failure. /* continue and set name + data to the part */ curl_mime_data(part, "This is the field data", CURL_ZERO_TERMINATED); - curl_mime_name(part, "data", CURL_ZERO_TERMINATED); + curl_mime_name(part, "data"); .fi .SH "SEE ALSO" .BR curl_mime_init "(3)," diff --git a/docs/libcurl/curl_mime_data.3 b/docs/libcurl/curl_mime_data.3 index 7ed8eeb3b4..d2112f2d4c 100644 --- a/docs/libcurl/curl_mime_data.3 +++ b/docs/libcurl/curl_mime_data.3 @@ -64,6 +64,6 @@ CURLE_OK or a CURL error code upon failure. .fi .SH "SEE ALSO" .BR curl_mime_addpart "(3)," -.BR curl_mime_data_cb "(3)" -.BR curl_mime_name "(3)" +.BR curl_mime_data_cb "(3)," +.BR curl_mime_name "(3)," .BR curl_mime_type "(3)" diff --git a/docs/libcurl/curl_mime_data_cb.3 b/docs/libcurl/curl_mime_data_cb.3 index b174d3b376..bc74a85a5c 100644 --- a/docs/libcurl/curl_mime_data_cb.3 +++ b/docs/libcurl/curl_mime_data_cb.3 @@ -155,6 +155,6 @@ int seek_callback(void *arg, curl_off_t offset, int origin) &hugectl); .SH "SEE ALSO" -.BR curl_mime_addpart "(3)" -.BR curl_mime_data "(3)" +.BR curl_mime_addpart "(3)," +.BR curl_mime_data "(3)," .BR curl_mime_name "(3)" diff --git a/docs/libcurl/curl_mime_filedata.3 b/docs/libcurl/curl_mime_filedata.3 index f9cea3ce8a..9a57068de2 100644 --- a/docs/libcurl/curl_mime_filedata.3 +++ b/docs/libcurl/curl_mime_filedata.3 @@ -68,10 +68,10 @@ CURLE_OK or a CURL error code upon failure. curl_mime_filedata(part, "image.png"); /* set name */ - curl_mime_name(part, "data", CURL_ZERO_TERMINATED); + curl_mime_name(part, "data"); .fi .SH "SEE ALSO" .BR curl_mime_addpart "(3)," .BR curl_mime_data "(3)," -.BR curl_mime_filename "(3)" -.BR curl_mime_name "(3)," +.BR curl_mime_filename "(3)," +.BR curl_mime_name "(3)" diff --git a/docs/libcurl/curl_mime_filename.3 b/docs/libcurl/curl_mime_filename.3 index e29726c1aa..42916e598f 100644 --- a/docs/libcurl/curl_mime_filename.3 +++ b/docs/libcurl/curl_mime_filename.3 @@ -64,9 +64,9 @@ CURLE_OK or a CURL error code upon failure. curl_mime_filename(part, "image.png"); /* set name */ - curl_mime_name(part, "data", CURL_ZERO_TERMINATED); + curl_mime_name(part, "data"); .fi .SH "SEE ALSO" -.BR curl_mime_addpart "(3) " -.BR curl_mime_filedata "(3) " -.BR curl_mime_data "(3) " +.BR curl_mime_addpart "(3)," +.BR curl_mime_filedata "(3)," +.BR curl_mime_data "(3)" diff --git a/docs/libcurl/curl_mime_headers.3 b/docs/libcurl/curl_mime_headers.3 index 87724ae1b5..1d02e1ee5d 100644 --- a/docs/libcurl/curl_mime_headers.3 +++ b/docs/libcurl/curl_mime_headers.3 @@ -59,7 +59,7 @@ CURLE_OK or a CURL error code upon failure. curl_mime_data(part, "12345679", CURL_ZERO_TERMINATED); /* set name */ - curl_mime_name(part, "numbers", CURL_ZERO_TERMINATED); + curl_mime_name(part, "numbers"); .fi .SH "SEE ALSO" .BR curl_mime_addpart "(3)" diff --git a/docs/libcurl/curl_mime_init.3 b/docs/libcurl/curl_mime_init.3 index 2f5617eef8..469f02b7c5 100644 --- a/docs/libcurl/curl_mime_init.3 +++ b/docs/libcurl/curl_mime_init.3 @@ -52,7 +52,7 @@ A mime struct handle, or NULL upon failure. mime = curl_mime_init(easy); part = curl_mime_addpart(mime); curl_mime_data(part, "This is the field data", CURL_ZERO_TERMINATED); - curl_mime_name(part, "data", CURL_ZERO_TERMINATED); + curl_mime_name(part, "data"); /* Post and send it. */ curl_easy_setopt(easy, CURLOPT_MIMEPOST, mime); diff --git a/docs/libcurl/curl_mime_name.3 b/docs/libcurl/curl_mime_name.3 index 369598012f..f821d90822 100644 --- a/docs/libcurl/curl_mime_name.3 +++ b/docs/libcurl/curl_mime_name.3 @@ -25,21 +25,16 @@ curl_mime_name - set a mime part's name .SH SYNOPSIS .B #include .sp -.BI "CURLcode curl_mime_name(curl_mimepart * " part ", const char * " name -.BI ", size_t " namesize ");" +.BI "CURLcode curl_mime_name(curl_mimepart * " part ", const char * " name ");" .ad .SH DESCRIPTION \fIcurl_mime_name(3)\fP sets a mime part's name. This is the way HTTP form fields are named. -\fIname\fP points to the name byte string; the string may contain nul bytes -unless \fInamesize\fP is -1. - -\fInamesize\fP is the name length: it can be set to \fICURL_ZERO_TERMINATED\fP -to indicate \fIname\fP is a nul-terminated string. - \fIpart\fP is the part's handle to assign a name to. +\fIname\fP points to the zero-terminated name string. + The name string is copied into the part, thus the associated storage may safely be released or reused after call. Setting a part's name twice is valid: only the value set by the last call is retained. It is possible to "unname" a @@ -60,9 +55,9 @@ CURLE_OK or a CURL error code upon failure. part = curl_mime_addpart(mime); /* give the part a name */ - curl_mime_name(part, "shoe_size", CURL_ZERO_TERMINATED); + curl_mime_name(part, "shoe_size"); .fi .SH "SEE ALSO" -.BR curl_mime_addpart "(3)" -.BR curl_mime_data "(3)" +.BR curl_mime_addpart "(3)," +.BR curl_mime_data "(3)," .BR curl_mime_type "(3)" diff --git a/docs/libcurl/curl_mime_type.3 b/docs/libcurl/curl_mime_type.3 index 4882ceec24..59841d5bd1 100644 --- a/docs/libcurl/curl_mime_type.3 +++ b/docs/libcurl/curl_mime_type.3 @@ -75,9 +75,9 @@ CURLE_OK or a CURL error code upon failure. curl_mime_type(part, "image/png"); /* set name */ - curl_mime_name(part, "image", CURL_ZERO_TERMINATED); + curl_mime_name(part, "image"); .fi .SH "SEE ALSO" -.BR curl_mime_addpart "(3)" -.BR curl_mime_name "(3)" +.BR curl_mime_addpart "(3)," +.BR curl_mime_name "(3)," .BR curl_mime_data "(3)" diff --git a/include/curl/curl.h b/include/curl/curl.h index 1eb82f5c68..8b153fef9b 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -2009,8 +2009,7 @@ CURL_EXTERN curl_mimepart *curl_mime_addpart(curl_mime *mime); * * Set mime/form part name. */ -CURL_EXTERN CURLcode curl_mime_name(curl_mimepart *part, - const char *name, size_t namesize); +CURL_EXTERN CURLcode curl_mime_name(curl_mimepart *part, const char *name); /* * NAME curl_mime_filename() diff --git a/lib/formdata.c b/lib/formdata.c index ed7b334821..3568ac5791 100644 --- a/lib/formdata.c +++ b/lib/formdata.c @@ -636,12 +636,23 @@ CURLFORMcode FormAdd(struct curl_httppost **httppost, } form->contenttype_alloc = TRUE; } + if(form->name && form->namelength) { + /* Name should not contain nul bytes. */ + size_t i; + for(i = 0; i < form->namelength; i++) + if(!form->name[i]) { + return_value = CURL_FORMADD_NULL; + break; + } + if(return_value != CURL_FORMADD_OK) + break; + } if(!(form->flags & HTTPPOST_PTRNAME) && (form == first_form) ) { /* Note that there's small risk that form->name is NULL here if the app passed in a bad combo, so we better check for that first. */ if(form->name) { - /* copy name (without strdup; possibly contains null characters) */ + /* copy name (without strdup; possibly not nul-terminated) */ form->name = Curl_memdup(form->name, form->namelength? form->namelength: strlen(form->name) + 1); @@ -814,6 +825,24 @@ void curl_formfree(struct curl_httppost *form) } +/* Set mime part name, taking care of non nul-terminated name string. */ +static CURLcode setname(curl_mimepart *part, const char *name, size_t len) +{ + char *zname; + CURLcode res; + + if(!name || !len) + return curl_mime_name(part, name); + zname = malloc(len + 1); + if(!zname) + return CURLE_OUT_OF_MEMORY; + memcpy(zname, name, len); + zname[len] = '\0'; + res = curl_mime_name(part, zname); + free(zname); + return res; +} + /* * Curl_getformdata() converts a linked list of "meta data" into a mime * structure. The input list is in 'post', while the output is stored in @@ -856,8 +885,7 @@ CURLcode Curl_getformdata(struct Curl_easy *data, if(!part) result = CURLE_OUT_OF_MEMORY; if(!result) - result = curl_mime_name(part, post->name, - post->namelength? post->namelength: -1); + result = setname(part, post->name, post->namelength); if(!result) { multipart = curl_mime_init(data); if(!multipart) @@ -884,8 +912,7 @@ CURLcode Curl_getformdata(struct Curl_easy *data, /* Set field name. */ if(!result && !post->more) - result = curl_mime_name(part, post->name, - post->namelength? post->namelength: -1); + result = setname(part, post->name, post->namelength); /* Process contents. */ if(!result) { diff --git a/lib/mime.c b/lib/mime.c index 03ccfc2009..496f5e6fb2 100644 --- a/lib/mime.c +++ b/lib/mime.c @@ -275,33 +275,25 @@ static void mimesetstate(mime_state *state, enum mimestate tok, void *ptr) /* Escape header string into allocated memory. */ -static char *escape_string(const char *src, size_t len) +static char *escape_string(const char *src) { - size_t bytecount; + size_t bytecount = 0; size_t i; char *dst; - if(len == CURL_ZERO_TERMINATED) - len = strlen(src); - - bytecount = len; - for(i = 0; i < len; i++) - if(src[i] == '"' || src[i] == '\\' || !src[i]) + for(i = 0; src[i]; i++) + if(src[i] == '"' || src[i] == '\\') bytecount++; + bytecount += i; dst = malloc(bytecount + 1); if(!dst) return NULL; - for(i = 0; len; len--) { - char c = *src++; - - if(c == '"' || c == '\\' || !c) { + for(i = 0; *src; src++) { + if(*src == '"' || *src == '\\') dst[i++] = '\\'; - if(!c) - c = '0'; - } - dst[i++] = c; + dst[i++] = *src; } dst[i] = '\0'; @@ -1199,26 +1191,18 @@ curl_mimepart *curl_mime_addpart(curl_mime *mime) } /* Set mime part name. */ -CURLcode curl_mime_name(curl_mimepart *part, - const char *name, size_t namesize) +CURLcode curl_mime_name(curl_mimepart *part, const char *name) { if(!part) return CURLE_BAD_FUNCTION_ARGUMENT; Curl_safefree(part->name); part->name = NULL; - part->namesize = 0; if(name) { - if(namesize == CURL_ZERO_TERMINATED) - namesize = strlen(name); - part->name = malloc(namesize + 1); + part->name = strdup(name); if(!part->name) return CURLE_OUT_OF_MEMORY; - if(namesize) - memcpy(part->name, name, namesize); - part->name[namesize] = '\0'; - part->namesize = namesize; } return CURLE_OK; @@ -1656,12 +1640,12 @@ CURLcode Curl_mime_prepare_headers(curl_mimepart *part, char *filename = NULL; if(part->name) { - name = escape_string(part->name, part->namesize); + name = escape_string(part->name); if(!name) ret = CURLE_OUT_OF_MEMORY; } if(!ret && part->filename) { - filename = escape_string(part->filename, CURL_ZERO_TERMINATED); + filename = escape_string(part->filename); if(!filename) ret = CURLE_OUT_OF_MEMORY; } @@ -1745,12 +1729,10 @@ curl_mimepart *curl_mime_addpart(curl_mime *mime) return NULL; } -CURLcode curl_mime_name(curl_mimepart *part, - const char *name, size_t namesize) +CURLcode curl_mime_name(curl_mimepart *part, const char *name) { (void) part; (void) name; - (void) namesize; return CURLE_NOT_BUILT_IN; } diff --git a/lib/mime.h b/lib/mime.h index f22d013523..a144857076 100644 --- a/lib/mime.h +++ b/lib/mime.h @@ -111,7 +111,6 @@ struct curl_mimepart_s { char *mimetype; /* Part mime type. */ char *filename; /* Remote file name. */ char *name; /* Data name. */ - size_t namesize; /* Data name size. */ curl_off_t datasize; /* Expected data size. */ unsigned int flags; /* Flags. */ mime_state state; /* Current readback state. */ diff --git a/src/tool_formparse.c b/src/tool_formparse.c index 21cb2820b0..4645a761e3 100644 --- a/src/tool_formparse.c +++ b/src/tool_formparse.c @@ -733,7 +733,7 @@ int formparse(struct OperationConfig *config, } /* Set part name. */ - if(name && curl_mime_name(part, name, CURL_ZERO_TERMINATED)) { + if(name && curl_mime_name(part, name)) { warnf(config->global, "curl_mime_name failed!\n"); Curl_safefree(contents); return 31; diff --git a/src/tool_setopt.c b/src/tool_setopt.c index fd9bba4d6b..fb2cb66d3c 100644 --- a/src/tool_setopt.c +++ b/src/tool_setopt.c @@ -525,20 +525,10 @@ static CURLcode libcurl_generate_mime(curl_mime *mime, int *mimeno) if(part->name) { Curl_safefree(escaped); - escaped = c_escape(part->name, part->namesize); + escaped = c_escape(part->name, CURL_ZERO_TERMINATED); if(!escaped) return CURLE_OUT_OF_MEMORY; - /* Are there any nul byte in name? */ - for(cp = part->name; *cp; cp++) - ; - if(cp != part->name + part->namesize) { - size = (curl_off_t) part->namesize; - CODE3("curl_mime_name(part%d, \"%s\", %" CURL_FORMAT_CURL_OFF_T ");", - *mimeno, escaped, size); - } - else - CODE2("curl_mime_name(part%d, \"%s\", CURL_ZERO_TERMINATED);", - *mimeno, escaped); + CODE2("curl_mime_name(part%d, \"%s\");", *mimeno, escaped); } if(part->mimetype) { diff --git a/tests/data/test1135 b/tests/data/test1135 index 821fc93b60..6a80ddf696 100644 --- a/tests/data/test1135 +++ b/tests/data/test1135 @@ -33,7 +33,7 @@ CURL_EXTERN int curl_strnequal(const char *s1, const char *s2, size_t n); CURL_EXTERN curl_mime *curl_mime_init(CURL *easy); CURL_EXTERN void curl_mime_free(curl_mime *mime); CURL_EXTERN curl_mimepart *curl_mime_addpart(curl_mime *mime); -CURL_EXTERN CURLcode curl_mime_name(curl_mimepart *part, +CURL_EXTERN CURLcode curl_mime_name(curl_mimepart *part, const char *name); CURL_EXTERN CURLcode curl_mime_filename(curl_mimepart *part, CURL_EXTERN CURLcode curl_mime_type(curl_mimepart *part, const char *mimetype); CURL_EXTERN CURLcode curl_mime_encoder(curl_mimepart *part, diff --git a/tests/data/test1404 b/tests/data/test1404 index 20dc013336..53ab37b499 100644 --- a/tests/data/test1404 +++ b/tests/data/test1404 @@ -125,7 +125,7 @@ int main(int argc, char *argv[]) mime1 = curl_mime_init(hnd); part1 = curl_mime_addpart(mime1); curl_mime_data(part1, "value", CURL_ZERO_TERMINATED); - curl_mime_name(part1, "name", CURL_ZERO_TERMINATED); + curl_mime_name(part1, "name"); part1 = curl_mime_addpart(mime1); mime2 = curl_mime_init(hnd); part2 = curl_mime_addpart(mime2); @@ -140,7 +140,7 @@ int main(int argc, char *argv[]) slist1 = NULL; curl_mime_subparts(part1, mime2); mime2 = NULL; - curl_mime_name(part1, "file", CURL_ZERO_TERMINATED); + curl_mime_name(part1, "file"); curl_easy_setopt(hnd, CURLOPT_MIMEPOST, mime1); curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); diff --git a/tests/libtest/lib643.c b/tests/libtest/lib643.c index b2698f0768..c9d525bc27 100644 --- a/tests/libtest/lib643.c +++ b/tests/libtest/lib643.c @@ -113,7 +113,7 @@ static int once(char *URL, bool oldstyle) /* Fill in the file upload part */ if(oldstyle) { - res = curl_mime_name(part, "sendfile", CURL_ZERO_TERMINATED); + res = curl_mime_name(part, "sendfile"); if(!res) res = curl_mime_data_cb(part, datasize, read_callback, NULL, NULL, &pooh); @@ -122,7 +122,7 @@ static int once(char *URL, bool oldstyle) } else { /* new style */ - res = curl_mime_name(part, "sendfile alternative", CURL_ZERO_TERMINATED); + res = curl_mime_name(part, "sendfile alternative"); if(!res) res = curl_mime_data_cb(part, datasize, read_callback, NULL, NULL, &pooh); @@ -151,7 +151,7 @@ static int once(char *URL, bool oldstyle) return TEST_ERR_MAJOR_BAD; } /* Fill in the file upload part */ - res = curl_mime_name(part, "callbackdata", CURL_ZERO_TERMINATED); + res = curl_mime_name(part, "callbackdata"); if(!res) res = curl_mime_data_cb(part, datasize, read_callback, NULL, NULL, &pooh2); @@ -169,7 +169,7 @@ static int once(char *URL, bool oldstyle) } /* Fill in the filename field */ - res = curl_mime_name(part, "filename", CURL_ZERO_TERMINATED); + res = curl_mime_name(part, "filename"); if(!res) res = curl_mime_data(part, #ifdef CURL_DOES_CONVERSIONS @@ -193,7 +193,7 @@ static int once(char *URL, bool oldstyle) curl_global_cleanup(); return TEST_ERR_MAJOR_BAD; } - res = curl_mime_name(part, "submit", CURL_ZERO_TERMINATED); + res = curl_mime_name(part, "submit"); if(!res) res = curl_mime_data(part, #ifdef CURL_DOES_CONVERSIONS @@ -216,7 +216,7 @@ static int once(char *URL, bool oldstyle) curl_global_cleanup(); return TEST_ERR_MAJOR_BAD; } - res = curl_mime_name(part, "somename", CURL_ZERO_TERMINATED); + res = curl_mime_name(part, "somename"); if(!res) res = curl_mime_filename(part, "somefile.txt"); if(!res)