cURL / Mailing Lists / curl-library / Single Mail


Re: curl_easy_escape() easily misused?

From: Ray Satiro via curl-library <>
Date: Sat, 8 Oct 2016 15:09:05 -0400

On 10/8/2016 5:59 AM, Daniel Stenberg wrote:
> However, this means that a caller intending to supply a binary buffer
> and failing to explicitly check whether the buffer has a size equaling
> zero might in fact cause an out-of-bounds read. If this happens, it is
> also likely to translate into disclosure of the read data to an HTTP
> server. A cursory inspection of some code that uses curl_easy_escape()
> with a length argument shows that most cURL users fail to explicitly
> check for length zero. However, because the buffer normally contains a
> C string anyway, this shortcoming does not have much impact in practice.

It says clearly "If length is set to 0 (zero), curl_easy_escape uses
strlen() on the input string to find out the size." The burden is on the
caller to check, and I really don't think it's that big of one. I don't
see any harm in adding inline helpers like curl_easy_escape_string and
curl_easy_escape_binary, either.

char *curl_easy_escape_string(CURL *curl, const char *string)
   return curl_easy_escape(curl, string, 0);

char *curl_easy_escape_binary(CURL *curl, const char *binary, size_t size)
     return (char *)calloc(1, 1);
   else if(size < (unsigned)(INT_MAX))
     return curl_easy_escape(curl, binary, (int)size);
     return NULL;

List admin:
Received on 2016-10-08