return result;
}
+/* A value that becomes part of an FTP control command must not carry a
+ control byte: a CR or LF would end the command line and let a second
+ command be smuggled onto the control connection. */
+static bool ftp_has_ctrl(const char *string)
+{
+ const unsigned char *s = (const unsigned char *)string;
+ while(*s) {
+ if(*s < 0x20)
+ return TRUE;
+ s++;
+ }
+ return FALSE;
+}
+
/* for USER and PASS responses */
static CURLcode ftp_state_user_resp(struct Curl_easy *data,
struct ftp_conn *ftpc,
result = ftp_state_loggedin(data, ftpc);
}
else if(ftpcode == 332) {
- if(data->set.str[STRING_FTP_ACCOUNT]) {
- result = Curl_pp_sendf(data, &ftpc->pp, "ACCT %s",
- data->set.str[STRING_FTP_ACCOUNT]);
- if(!result)
- ftp_state(data, ftpc, FTP_ACCT);
- }
- else {
+ const char *account = data->set.str[STRING_FTP_ACCOUNT];
+ if(!account) {
failf(data, "ACCT requested but none available");
result = CURLE_LOGIN_DENIED;
}
+ else if(ftp_has_ctrl(account)) {
+ failf(data, "Control byte in FTP account");
+ result = CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+ else {
+ result = Curl_pp_sendf(data, &ftpc->pp, "ACCT %s", account);
+ if(!result)
+ ftp_state(data, ftpc, FTP_ACCT);
+ }
}
else {
/* All other response codes, like:
530 User ... access denied
(the server denies to log the specified user) */
- if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER] &&
- !ftpc->ftp_trying_alternative) {
+ const char *alt = data->set.str[STRING_FTP_ALTERNATIVE_TO_USER];
+ if(alt && !ftpc->ftp_trying_alternative) {
/* Ok, USER failed. Let's try the supplied command. */
- result = Curl_pp_sendf(data, &ftpc->pp, "%s",
- data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
- if(!result) {
- ftpc->ftp_trying_alternative = TRUE;
- ftp_state(data, ftpc, FTP_USER);
+ if(ftp_has_ctrl(alt)) {
+ failf(data, "Control byte in FTP alternative-to-user command");
+ result = CURLE_BAD_FUNCTION_ARGUMENT;
+ }
+ else {
+ result = Curl_pp_sendf(data, &ftpc->pp, "%s", alt);
+ if(!result) {
+ ftpc->ftp_trying_alternative = TRUE;
+ ftp_state(data, ftpc, FTP_USER);
+ }
}
}
else {
--- /dev/null
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+FTP
+ACCT
+</keywords>
+</info>
+# Server-side
+<reply>
+<servercmd>
+REPLY PASS 332 please provide account name
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+<name>
+FTP --ftp-account with embedded CRLF is rejected
+</name>
+# read the account from a config file so the raw CR LF reaches curl intact
+<file name="%LOGDIR/test%TESTNUMBER.config">
+ftp-account = "one\r\nDELE %TESTNUMBER"
+</file>
+<command>
+ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -K %LOGDIR/test%TESTNUMBER.config
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# 43 - CURLE_BAD_FUNCTION_ARGUMENT
+<errorcode>
+43
+</errorcode>
+# the account is rejected before ACCT is built, so the injected DELE command
+# must never reach the server
+<protocol crlf="yes">
+USER anonymous
+PASS ftp@example.com
+</protocol>
+</verify>
+</testcase>
--- /dev/null
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+FTP
+--ftp-alternative-to-user
+</keywords>
+</info>
+# Server-side
+<reply>
+<servercmd>
+REPLY USER 530 go away
+</servercmd>
+</reply>
+
+# Client-side
+<client>
+<server>
+ftp
+</server>
+<name>
+FTP --ftp-alternative-to-user with embedded CRLF is rejected
+</name>
+# read the command from a config file so the raw CR LF reaches curl intact
+<file name="%LOGDIR/test%TESTNUMBER.config">
+ftp-alternative-to-user = "USER me\r\nDELE %TESTNUMBER"
+</file>
+<command>
+ftp://%HOSTIP:%FTPPORT/%TESTNUMBER/ -K %LOGDIR/test%TESTNUMBER.config
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+# 43 - CURLE_BAD_FUNCTION_ARGUMENT
+<errorcode>
+43
+</errorcode>
+# the replacement command is rejected before it is sent, so the injected DELE
+# command must never reach the server
+<protocol crlf="yes">
+USER anonymous
+</protocol>
+</verify>
+</testcase>