1From 538b1e79a6e7b0bb829ab4cecc828d32105d0684 Mon Sep 17 00:00:00 2001 2From: Daniel Stenberg <daniel@haxx.se> 3Date: Mon, 6 Mar 2023 12:07:33 +0100 4Subject: [PATCH] telnet: only accept option arguments in ascii 5 6To avoid embedded telnet negotiation commands etc. 7 8Reported-by: Harry Sintonen 9Closes #10728 10--- 11 lib/telnet.c | 15 +++++++++++++++ 12 1 file changed, 15 insertions(+) 13 14--- a/lib/telnet.c 15+++ b/lib/telnet.c 16@@ -768,6 +768,17 @@ static void printsub(struct Curl_easy *d 17 } 18 } 19 20+static bool str_is_nonascii(const char *str) 21+{ 22+ size_t len = strlen(str); 23+ while(len--) { 24+ if(*str & 0x80) 25+ return TRUE; 26+ str++; 27+ } 28+ return FALSE; 29+} 30+ 31 static CURLcode check_telnet_options(struct Curl_easy *data) 32 { 33 struct curl_slist *head; 34@@ -782,6 +793,8 @@ static CURLcode check_telnet_options(str 35 /* Add the user name as an environment variable if it 36 was given on the command line */ 37 if(conn->bits.user_passwd) { 38+ if(str_is_nonascii(data->conn->user)) 39+ return CURLE_BAD_FUNCTION_ARGUMENT; 40 msnprintf(option_arg, sizeof(option_arg), "USER,%s", conn->user); 41 beg = curl_slist_append(tn->telnet_vars, option_arg); 42 if(!beg) { 43@@ -797,6 +810,9 @@ static CURLcode check_telnet_options(str 44 if(sscanf(head->data, "%127[^= ]%*[ =]%255s", 45 option_keyword, option_arg) == 2) { 46 47+ if(str_is_nonascii(option_arg)) 48+ continue; 49+ 50 /* Terminal type */ 51 if(strcasecompare(option_keyword, "TTYPE")) { 52 strncpy(tn->subopt_ttype, option_arg, 31); 53