]> git.ipfire.org Git - thirdparty/curl.git/commitdiff
projects / thirdparty / curl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ce354d0)
examples: fix two issues found by CodeQL
authorViktor Szakats <commit@vsz.me>
Thu, 18 Sep 2025 16:50:09 +0000 (18:50 +0200)
committerViktor Szakats <commit@vsz.me>
Thu, 18 Sep 2025 18:14:21 +0000 (20:14 +0200)
- http2-upload: use `fstat()` to query file length to fix TOCTOU.

- ftpuploadresume: fix checking `sscanf()` return value.

Follow-up to b4922b1295333dc6679eb1d588ddc2fb6b7fd5b7 #18564
Closes #18605

docs/examples/ftpuploadresume.c patch | blob | blame | history
docs/examples/http2-upload.c patch | blob | blame | history

diff --git a/docs/examples/ftpuploadresume.c b/docs/examples/ftpuploadresume.c
index b02ad928a6dc05e85ba5ac23743c77745e243a24..67495aec68705d63b78866ac8e1a232a501ee85f 100644 (file)
--- a/docs/examples/ftpuploadresume.c
+++ b/docs/examples/ftpuploadresume.c
@@ -38,7 +38,7 @@ static size_t getcontentlengthfunc(void *ptr, size_t size, size_t nmemb,
   long len = 0;
 
   r = sscanf(ptr, "Content-Length: %ld\n", &len);
-  if(r)
+  if(r == 1)
     *((long *) stream) = len;
 
   return size * nmemb;
diff --git a/docs/examples/http2-upload.c b/docs/examples/http2-upload.c
index 482889ea185740788b35039f49855c644a3f8ab7..31f4ed56e1ba95fe578d2b3fbf767a67c2a8eb8c 100644 (file)
--- a/docs/examples/http2-upload.c
+++ b/docs/examples/http2-upload.c
@@ -45,6 +45,9 @@
 #ifdef _WIN32
 #undef stat
 #define stat _stat
+#undef fstat
+#define fstat _fstat
+#define fileno _fileno
 #endif
 
 /* curl stuff */
@@ -223,24 +226,27 @@ static int setup(struct input *i, int num, const char *upload)
 
   curl_msnprintf(url, 256, "https://localhost:8443/upload-%d", num);
 
-  /* get the file size of the local file */
-  if(stat(upload, &file_info)) {
-    fprintf(stderr, "error: could not stat file %s: %s\n", upload,
+  i->in = fopen(upload, "rb");
+  if(!i->in) {
+    fprintf(stderr, "error: could not open file %s for reading: %s\n", upload,
             strerror(errno));
     fclose(out);
     return 1;
   }
 
-  uploadsize = file_info.st_size;
-
-  i->in = fopen(upload, "rb");
-  if(!i->in) {
-    fprintf(stderr, "error: could not open file %s for reading: %s\n", upload,
+#ifdef UNDER_CE
+  if(stat(upload, &file_info) != 0) {
+#else
+  if(fstat(fileno(i->in), &file_info) != 0) {
+#endif
+    fprintf(stderr, "error: could not stat file %s: %s\n", upload,
             strerror(errno));
     fclose(out);
     return 1;
   }
 
+  uploadsize = file_info.st_size;
+
   hnd = i->hnd = curl_easy_init();
 
   /* write to this file */
Mirror of https://github.com/curl/curl.git