From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Oct 2025 07:02:09 +0000 (+0200)
Subject: libssh2: bail out on chgrp and chown number parsing errors
X-Git-Tag: rc-8_17_0-1~121
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c3adf63ee7a26bae6c45ba0e0ae977c4cabd394e;p=thirdparty%2Fcurl.git

libssh2: bail out on chgrp and chown number parsing errors

Reported-by: Joshua Rogers
Closes #18863
---

diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
index 0b82b568b1..390602b35a 100644
--- a/lib/vssh/libssh2.c
+++ b/lib/vssh/libssh2.c
@@ -1303,11 +1303,11 @@ sftp_quote_stat(struct Curl_easy *data,
   if(!strncmp(cmd, "chgrp", 5)) {
     const char *p = sshc->quote_path1;
     curl_off_t gid;
-    (void)curlx_str_number(&p, &gid, ULONG_MAX);
-    sshp->quote_attrs.gid = (unsigned long)gid;
-    sshp->quote_attrs.flags = LIBSSH2_SFTP_ATTR_UIDGID;
-    if(sshp->quote_attrs.gid == 0 && !ISDIGIT(sshc->quote_path1[0]) &&
-       !sshc->acceptfail) {
+    if(!curlx_str_number(&p, &gid, ULONG_MAX)) {
+      sshp->quote_attrs.gid = (unsigned long)gid;
+      sshp->quote_attrs.flags = LIBSSH2_SFTP_ATTR_UIDGID;
+    }
+    else if(!sshc->acceptfail) {
       failf(data, "Syntax error: chgrp gid not a number");
       goto fail;
     }
@@ -1327,11 +1327,11 @@ sftp_quote_stat(struct Curl_easy *data,
   else if(!strncmp(cmd, "chown", 5)) {
     const char *p = sshc->quote_path1;
     curl_off_t uid;
-    (void)curlx_str_number(&p, &uid, ULONG_MAX);
-    sshp->quote_attrs.uid = (unsigned long)uid;
-    sshp->quote_attrs.flags = LIBSSH2_SFTP_ATTR_UIDGID;
-    if(sshp->quote_attrs.uid == 0 && !ISDIGIT(sshc->quote_path1[0]) &&
-       !sshc->acceptfail) {
+    if(!curlx_str_number(&p, &uid, ULONG_MAX)) {
+      sshp->quote_attrs.uid = (unsigned long)uid;
+      sshp->quote_attrs.flags = LIBSSH2_SFTP_ATTR_UIDGID;
+    }
+    else if(!sshc->acceptfail) {
       failf(data, "Syntax error: chown uid not a number");
       goto fail;
     }