On Mon, Aug 17, 2015 at 06:06:17PM +0200, Sebastien Marie wrote:
> Hi,
>
> I start reading your code, and I have a first remark.
>
> I see in main.c (at line 142 and next) that on redirection, you trust
> the server for the filename. I am not sure it is a good thing to do.
>
> If the user request 'http://www.example.com/a_filename' (without -o),
> the file created should be 'a_filename' what ever the redirection is.
> Else, a evil server could arbitrary choose the filename (in the current
> directory), and as file creation is done with O_TRUNC (or O_APPEND in
> resume case), an evil server could override the file he wants.
Thanks for the comments, I agree with your observation. This diff
evaluates filename just once.
Index: main.c
===================================================================
RCS file: /cvs/http/main.c,v
retrieving revision 1.67
diff -u -p -r1.67 main.c
--- main.c 16 Aug 2015 08:00:25 -0000 1.67
+++ main.c 17 Aug 2015 17:33:20 -0000
@@ -108,8 +108,8 @@ main(int argc, char *argv[])
}
for (i = 0; i < argc; i++) {
-retry:
fn = (output) ? output : basename(argv[i]);
+retry:
url_str = url_encode(argv[i]);
p = url_type(url_str);
if (url_parse(url_str, &url, p) != 0)
