curl supports SFTP transfers. curl's SFTP implementation offers a special
feature in the path component of URLs: a tilde (~
) character as the first
path element in the path to denotes a path relative to the user's home
directory. This is supported because of wording in the once proposed
to-become RFC
draft
that was to dictate how SFTP URLs work.
Due to a bug, the handling of the tilde in SFTP path did however not only replace it when it is used stand-alone as the first path element but also wrongly when used as a mere prefix in the first element.
Using a path like /~2/foo
when accessing a server using the user dan
(with
home directory /home/dan
) would then quite surprisingly access the file
/home/dan2/foo
.
This can be taken advantage of to circumvent filtering or worse.
{ "issue": "https://hackerone.com/reports/1892351", "URL": "https://curl.se/docs/CVE-2023-27534.json", "last_affected": "7.88.1", "affects": "both", "award": { "currency": "USD", "amount": "480" }, "CWE": { "desc": "Improper Limitation of a Pathname to a Restricted Directory", "id": "CWE-22" }, "severity": "Low", "package": "curl", "www": "https://curl.se/docs/CVE-2023-27534.html" }
{ "vanir_signatures": [ { "signature_type": "Function", "target": { "file": "lib/curl_path.c", "function": "Curl_getworkingpath" }, "signature_version": "v1", "digest": { "length": 1162.0, "function_hash": "228840074135554431436719030323093654179" }, "source": "https://github.com/curl/curl.git/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6", "deprecated": false, "id": "CURL-CVE-2023-27534-41b9bc57" }, { "signature_type": "Line", "target": { "file": "lib/curl_path.c" }, "signature_version": "v1", "digest": { "threshold": 0.9, "line_hashes": [ "218544295992803142351060550016437973059", "17595090113948442442737404369813994168", "127099749212024772016832004220242757845", "193377320314188509804557227397164681671", "128593626999667703384795045236461924420", "166500908727351385377023948994925195877", "164312718496607157671589763048734094643", "241024227959350370199836703071471749079", "142363385775755644370728803225874686346", "24894155868649408036618127898712702512", "322969720911693821970132461870384462211", "267269704318405773158920350231518977242", "114626317354368070713158021065297744152", "302222549270681719589766286763024689976", "22695367372254738118545595532995196107", "63562687785449076694908610682007924595", "139300319062665313356507615483743702008", "173293223730354422723121247930875265019", "192553860508771460009008025076551363558", "326154242660115391323127878791032655308", "122444487809622759736426500349637244536", "249625537427663162852917849078719393486", "304941522735531985350000096649696213401", "299871582095206091799004427034611032085", "20629569223273937240173877834025078004", "251350689102973709440522639738416094059", "156192352302548045669514510887390816767", "101898109192932712250706491865800012857", "96649043855652563813759725220665959968", "120977689065159008338668166205124385763", "173293223730354422723121247930875265019", "227012376426497601253820692928802671546", "12413570378180400446243866381344886251", "203306616924648785618483540586034808563", "87959606140091949917716476882169532916", "180519442735749124854477651929287477130", "10843707057582894148002426623887554465", "310397967457063354526099098088053995188", "143856960950009739223417370161638863001", "227832957307795953550157382558438178924", "164919229496897240624069036802370089344", "334030817854875047914307532863676427973", "20925765012834045928219785870668575700", "64191071328762438076287199822580165471", "336973117671902481458599763111284669984", "153999460614051797763374948783717851513", "139300319062665313356507615483743702008", "173293223730354422723121247930875265019", "332980443351317171627524081174027457346", "172614800569243312121640488635040898424", "222352064344804085798479313409624286993", "252970910987515919464260785484673287410", "140728092908624700123691564267460159843", "98216406554028246372000676043079968592", "109458180892148882097022975793511679746", "236511837109245670155669349537673282164" ] }, "source": "https://github.com/curl/curl.git/commit/4e2b52b5f7a3bf50a0f1494155717b02cc1df6d6", "deprecated": false, "id": "CURL-CVE-2023-27534-4c227131" } ] }