From 53a3b2114a9b0652bb464437d38f5c8abffc708d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 11 Mar 2026 08:33:58 +0100 Subject: [PATCH] libssh2: fix error handling on quote errors Previously it lacked the actual return. libssh.c uses the same function name. Verified by test 2007. Reported-by: m777m0 on hackerone Follow-up to 578706addec3d41cb5db64160d23795a95ca11d9 Closes #20883 --- lib/vssh/libssh.c | 18 +++++++++--------- lib/vssh/libssh2.c | 18 +++++++++--------- tests/data/Makefile.am | 2 +- tests/data/test2007 | 32 ++++++++++++++++++++++++++++++++ 4 files changed, 51 insertions(+), 19 deletions(-) create mode 100644 tests/data/test2007 diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c index 3a2a52e1f8..31b1744618 100644 --- a/lib/vssh/libssh.c +++ b/lib/vssh/libssh.c @@ -1346,8 +1346,8 @@ static int myssh_in_SFTP_POSTQUOTE_INIT(struct Curl_easy *data, return SSH_NO_ERROR; } -static int return_quote_error(struct Curl_easy *data, - struct ssh_conn *sshc) +static int quote_error(struct Curl_easy *data, + struct ssh_conn *sshc) { failf(data, "Suspicious data after the command line"); Curl_safefree(sshc->quote_path1); @@ -1467,7 +1467,7 @@ static int myssh_in_SFTP_QUOTE(struct Curl_easy *data, return SSH_NO_ERROR; } if(*cp) - return return_quote_error(data, sshc); + return quote_error(data, sshc); sshc->quote_attrs = NULL; myssh_to(data, sshc, SSH_SFTP_QUOTE_STAT); return SSH_NO_ERROR; @@ -1490,13 +1490,13 @@ static int myssh_in_SFTP_QUOTE(struct Curl_easy *data, return SSH_NO_ERROR; } if(*cp) - return return_quote_error(data, sshc); + return quote_error(data, sshc); myssh_to(data, sshc, SSH_SFTP_QUOTE_SYMLINK); return SSH_NO_ERROR; } else if(!strncmp(cmd, "mkdir ", 6)) { if(*cp) - return return_quote_error(data, sshc); + return quote_error(data, sshc); /* create directory */ myssh_to(data, sshc, SSH_SFTP_QUOTE_MKDIR); return SSH_NO_ERROR; @@ -1518,27 +1518,27 @@ static int myssh_in_SFTP_QUOTE(struct Curl_easy *data, return SSH_NO_ERROR; } if(*cp) - return return_quote_error(data, sshc); + return quote_error(data, sshc); myssh_to(data, sshc, SSH_SFTP_QUOTE_RENAME); return SSH_NO_ERROR; } else if(!strncmp(cmd, "rmdir ", 6)) { /* delete directory */ if(*cp) - return return_quote_error(data, sshc); + return quote_error(data, sshc); myssh_to(data, sshc, SSH_SFTP_QUOTE_RMDIR); return SSH_NO_ERROR; } else if(!strncmp(cmd, "rm ", 3)) { if(*cp) - return return_quote_error(data, sshc); + return quote_error(data, sshc); myssh_to(data, sshc, SSH_SFTP_QUOTE_UNLINK); return SSH_NO_ERROR; } #ifdef HAS_STATVFS_SUPPORT else if(!strncmp(cmd, "statvfs ", 8)) { if(*cp) - return return_quote_error(data, sshc); + return quote_error(data, sshc); myssh_to(data, sshc, SSH_SFTP_QUOTE_STATVFS); return SSH_NO_ERROR; } diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c index 63f5735b83..b55539efbe 100644 --- a/lib/vssh/libssh2.c +++ b/lib/vssh/libssh2.c @@ -715,8 +715,8 @@ static CURLcode ssh_force_knownhost_key_type(struct Curl_easy *data, return result; } -static CURLcode return_quote_error(struct Curl_easy *data, - struct ssh_conn *sshc) +static CURLcode quote_error(struct Curl_easy *data, + struct ssh_conn *sshc) { failf(data, "Suspicious data after the command line"); Curl_safefree(sshc->quote_path1); @@ -812,7 +812,7 @@ static CURLcode sftp_quote(struct Curl_easy *data, return result; } if(*cp) - return_quote_error(data, sshc); + return quote_error(data, sshc); memset(&sshp->quote_attrs, 0, sizeof(LIBSSH2_SFTP_ATTRIBUTES)); myssh_to(data, sshc, SSH_SFTP_QUOTE_STAT); @@ -831,13 +831,13 @@ static CURLcode sftp_quote(struct Curl_easy *data, return result; } if(*cp) - return_quote_error(data, sshc); + return quote_error(data, sshc); myssh_to(data, sshc, SSH_SFTP_QUOTE_SYMLINK); return result; } else if(!strncmp(cmd, "mkdir ", 6)) { if(*cp) - return_quote_error(data, sshc); + return quote_error(data, sshc); /* create directory */ myssh_to(data, sshc, SSH_SFTP_QUOTE_MKDIR); return result; @@ -854,26 +854,26 @@ static CURLcode sftp_quote(struct Curl_easy *data, return result; } if(*cp) - return_quote_error(data, sshc); + return quote_error(data, sshc); myssh_to(data, sshc, SSH_SFTP_QUOTE_RENAME); return result; } else if(!strncmp(cmd, "rmdir ", 6)) { if(*cp) - return_quote_error(data, sshc); + return quote_error(data, sshc); /* delete directory */ myssh_to(data, sshc, SSH_SFTP_QUOTE_RMDIR); return result; } else if(!strncmp(cmd, "rm ", 3)) { if(*cp) - return_quote_error(data, sshc); + return quote_error(data, sshc); myssh_to(data, sshc, SSH_SFTP_QUOTE_UNLINK); return result; } else if(!strncmp(cmd, "statvfs ", 8)) { if(*cp) - return_quote_error(data, sshc); + return quote_error(data, sshc); myssh_to(data, sshc, SSH_SFTP_QUOTE_STATVFS); return result; } diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am index 53abf60901..36463204af 100644 --- a/tests/data/Makefile.am +++ b/tests/data/Makefile.am @@ -243,7 +243,7 @@ test1955 test1956 test1957 test1958 test1959 test1960 test1964 \ test1970 test1971 test1972 test1973 test1974 test1975 test1976 test1977 \ test1978 test1979 test1980 test1981 \ \ -test2000 test2001 test2002 test2003 test2004 test2005 test2006 \ +test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \ \ test2023 \ test2024 test2025 test2026 test2027 test2028 test2029 test2030 test2031 \ diff --git a/tests/data/test2007 b/tests/data/test2007 new file mode 100644 index 0000000000..db82ec3105 --- /dev/null +++ b/tests/data/test2007 @@ -0,0 +1,32 @@ + + + + +SFTP +--quote + + + +# Server-side + + + +# Client-side + + +sftp + + +SFTP quote rmdir command with trailing junk + + +--hostpubmd5 %SSHSRVMD5 --key %LOGDIR/server/curl_client_key --pubkey %LOGDIR/server/curl_client_key.pub -u %USER: sftp://%HOSTIP:%SSHPORT%SFTP_PWD/%LOGDIR/file%TESTNUMBER.txt -Q "mkdir /tmp/test trailing_garbage" + + + + + +21 + + +