file: on Windows, refuse paths that start with \\

... as that might cause an unexpected SMB connection to a given host
name.

Reported-by: Fernando Muñoz
CVE-2019-15601
Bug: https://curl.haxx.se/docs/CVE-2019-15601.html

diff --git a/lib/file.c b/lib/file.c
index d349cd9241cdc9ae93f5e4f5dc67a40cd6d57b84..166931d7f1badf4bb21241978dafc929f7b53020 100644 (file)
--- a/lib/file.c
+++ b/lib/file.c
@@ -136,7 +136,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
   struct Curl_easy *data = conn->data;
   char *real_path;
   struct FILEPROTO *file = data->req.protop;
-  int fd;
+  int fd = -1;
 #ifdef DOS_FILESYSTEM
   size_t i;
   char *actual_path;
@@ -181,7 +181,9 @@ static CURLcode file_connect(struct connectdata *conn, bool *done)
       return CURLE_URL_MALFORMAT;
     }
 
-  fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
+  if(strncmp("\\\\", actual_path, 2))
+    /* refuse to open path that starts with two backslashes */
+    fd = open_readonly(actual_path, O_RDONLY|O_BINARY);
   file->path = actual_path;
 #else
   if(memchr(real_path, 0, real_path_len)) {