From f5edb3fd79742a14eb1b150061fe56f41560b1d2 Mon Sep 17 00:00:00 2001 From: Rob Landley Date: Wed, 20 Apr 2022 16:59:15 -0500 Subject: [PATCH] Teach wget about basic url escapes, and don't allow server to specify ../../../file as a filename. --- toys/net/wget.c | 44 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/toys/net/wget.c b/toys/net/wget.c index 61dc6500..737605d9 100644 --- a/toys/net/wget.c +++ b/toys/net/wget.c @@ -83,6 +83,37 @@ GLOBALS( #endif ) +char *escape_url(char *str) +{ + int i, count; + char *s; + + for (i = count = 0; str[i]; i++) if (isspace(str[i])) count++; + s = xmalloc(i+1+count*2); + for (i = 0;;) { + if (isspace(*str)) i += sprintf(s+i, "%%%02x", *str++); + else if (!(s[i++] = *str++)) break; + } + + return s; +} + +void unescape_url(char *str) +{ + char *to; + int i; + + for (to = str;;) { + if (*str!='%' || !isxdigit(str[1]) || !isxdigit(str[2])) { + if (!(*to++ = *str++)) break; + } else { + sscanf(++str, "%2x", &i); + *to++ = i; + str += 2; + } + } +} + // get http info in URL static void wget_info(char *url, char **host, char **port, char **path) { @@ -235,7 +266,7 @@ void wget_main(void) char *body, *index, *host, *port, *path = 0, *chunked, *ss; char agent[] = "toybox wget/" TOYBOX_VERSION; - TT.url = xstrdup(*toys.optargs); + TT.url = escape_url(*toys.optargs); // Ask server for URL, following redirects until success while (status != 200) { @@ -279,6 +310,17 @@ void wget_main(void) if (TT.O && !strcmp(TT.O, "-")) fd = 1; else if (!TT.O) { ss = wget_find_header(toybuf, "Content-Disposition: attachment; filename="); + if (ss) { + unescape_url(ss); + for (ii = strlen(ss); ii; ii--) { + if (ss[ii]=='/') memmove(ss, ss+ii, strlen(ss+ii)); + break; + } + if (!*ss) { + free(ss); + ss = 0; + } + } if (!ss) { path = 0; for (ii = 0, ss = *toys.optargs; *ss && *ss!='?' && *ss!='#'; ss++) -- 2.39.2