1/***************************************************************************
2 * _ _ ____ _
3 * Project ___| | | | _ \| |
4 * / __| | | | |_) | |
5 * | (__| |_| | _ <| |___
6 * \___|\___/|_| \_\_____|
7 *
8 * Copyright (C) 1998 - 2022, Daniel Stenberg, <[email protected]>, et al.
9 *
10 * This software is licensed as described in the file COPYING, which
11 * you should have received as part of this distribution. The terms
12 * are also available at https://curl.se/docs/copyright.html.
13 *
14 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
15 * copies of the Software, and permit persons to whom the Software is
16 * furnished to do so, under the terms of the COPYING file.
17 *
18 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
19 * KIND, either express or implied.
20 *
21 * SPDX-License-Identifier: curl
22 *
23 ***************************************************************************/
24
25#include "curl_setup.h"
26
27#include <curl/curl.h>
28
29#include "dotdot.h"
30#include "curl_memory.h"
31
32/* The last #include file should be: */
33#include "memdebug.h"
34
35/*
36 * "Remove Dot Segments"
37 * https://datatracker.ietf.org/doc/html/rfc3986#section-5.2.4
38 */
39
40/*
41 * Curl_dedotdotify()
42 * @unittest: 1395
43 *
44 * This function gets a null-terminated path with dot and dotdot sequences
45 * passed in and strips them off according to the rules in RFC 3986 section
46 * 5.2.4.
47 *
48 * The function handles a query part ('?' + stuff) appended but it expects
49 * that fragments ('#' + stuff) have already been cut off.
50 *
51 * RETURNS
52 *
53 * an allocated dedotdotified output string
54 */
55char *Curl_dedotdotify(const char *input)
56{
57 size_t inlen = strlen(input);
58 char *clone;
59 size_t clen = inlen; /* the length of the cloned input */
60 char *out = malloc(inlen + 1);
61 char *outptr;
62 char *orgclone;
63 char *queryp;
64 if(!out)
65 return NULL; /* out of memory */
66
67 *out = 0; /* null-terminates, for inputs like "./" */
68
69 /* get a cloned copy of the input */
70 clone = strdup(input);
71 if(!clone) {
72 free(out);
73 return NULL;
74 }
75 orgclone = clone;
76 outptr = out;
77
78 if(!*clone) {
79 /* zero length string, return that */
80 free(out);
81 return clone;
82 }
83
84 /*
85 * To handle query-parts properly, we must find it and remove it during the
86 * dotdot-operation and then append it again at the end to the output
87 * string.
88 */
89 queryp = strchr(clone, '?');
90 if(queryp)
91 *queryp = 0;
92
93 do {
94
95 /* A. If the input buffer begins with a prefix of "../" or "./", then
96 remove that prefix from the input buffer; otherwise, */
97
98 if(!strncmp("./", clone, 2)) {
99 clone += 2;
100 clen -= 2;
101 }
102 else if(!strncmp("../", clone, 3)) {
103 clone += 3;
104 clen -= 3;
105 }
106
107 /* B. if the input buffer begins with a prefix of "/./" or "/.", where
108 "." is a complete path segment, then replace that prefix with "/" in
109 the input buffer; otherwise, */
110 else if(!strncmp("/./", clone, 3)) {
111 clone += 2;
112 clen -= 2;
113 }
114 else if(!strcmp("/.", clone)) {
115 clone[1]='/';
116 clone++;
117 clen -= 1;
118 }
119
120 /* C. if the input buffer begins with a prefix of "/../" or "/..", where
121 ".." is a complete path segment, then replace that prefix with "/" in
122 the input buffer and remove the last segment and its preceding "/" (if
123 any) from the output buffer; otherwise, */
124
125 else if(!strncmp("/../", clone, 4)) {
126 clone += 3;
127 clen -= 3;
128 /* remove the last segment from the output buffer */
129 while(outptr > out) {
130 outptr--;
131 if(*outptr == '/')
132 break;
133 }
134 *outptr = 0; /* null-terminate where it stops */
135 }
136 else if(!strcmp("/..", clone)) {
137 clone[2]='/';
138 clone += 2;
139 clen -= 2;
140 /* remove the last segment from the output buffer */
141 while(outptr > out) {
142 outptr--;
143 if(*outptr == '/')
144 break;
145 }
146 *outptr = 0; /* null-terminate where it stops */
147 }
148
149 /* D. if the input buffer consists only of "." or "..", then remove
150 that from the input buffer; otherwise, */
151
152 else if(!strcmp(".", clone) || !strcmp("..", clone)) {
153 *clone = 0;
154 *out = 0;
155 }
156
157 else {
158 /* E. move the first path segment in the input buffer to the end of
159 the output buffer, including the initial "/" character (if any) and
160 any subsequent characters up to, but not including, the next "/"
161 character or the end of the input buffer. */
162
163 do {
164 *outptr++ = *clone++;
165 clen--;
166 } while(*clone && (*clone != '/'));
167 *outptr = 0;
168 }
169
170 } while(*clone);
171
172 if(queryp) {
173 size_t qlen;
174 /* There was a query part, append that to the output. The 'clone' string
175 may now have been altered so we copy from the original input string
176 from the correct index. */
177 size_t oindex = queryp - orgclone;
178 qlen = strlen(&input[oindex]);
179 memcpy(outptr, &input[oindex], qlen + 1); /* include the end zero byte */
180 }
181
182 free(orgclone);
183 return out;
184}
185