CVE-2023-27534: Path Traversal in curl SFTP Tilde Expansion

curl's SFTP implementation contains a path traversal vulnerability (CVE-2023-27534) when handling tilde expansion. When processing SFTP URLs with paths beginning with '//', the Curl_getworkingpath() function expands the tilde to the user's home directory but fails to validate or normalize the remaining path. This allows directory traversal sequences ('/../') to escape the intended home directory boundary. An attacker can craft URLs like 'sftp://user@host//../../etc/passwd' to read arbitrary files on the system outside the user's home directory.", Located vulnerability by searching SSH backend code in lib/vssh/ and finding path handling functions in lib/curl_path.c. The Curl_getworkingpath() function at lines 36-101 is the entry point. SFTP-specific handling starts at line 63. The vulnerable code checks if working_path[1] == '' (line 64), then expands to home directory (lines 65-79), but at lines 80-82 directly copies the remainder of the untrusted path without validation: memcpy(real_path + homelen, working_path + 3, 1 + working_path_len - 3). This concatenation produces paths that can traverse outside the home directory. Example: '//../../etc/passwd' becomes '/home/user/../../etc/passwd' = '/etc/passwd'. The PoC file sftp_path_traversal_poc.c confirms the exact vulnerability mechanism.", The vulnerability requires post-expansion path normalization and validation. After concatenating the home directory with the user-supplied path component (line 82), the code must: (1) Normalize the path to resolve '..' and '.' sequences; (2) Verify the normalized result stays within the home directory using a safe path comparison. Specific fix: replace the blind memcpy with a validated copy that checks for path traversal sequences, or use realpath()/canonical path functions after concatenation to ensure the final path is a descendant of homedir. The SCP handler (lines 57-59) has a similar pattern but is less exploitable because it doesn't include '..' resolution.", Verified by: (1) code inspection of lib/curl_path.c lines 64-82; (2) analysis of sftp_path_traversal_poc.c which demonstrates the exact expansion mechanism; (3) confirmed that memcpy at line 81-82 performs no boundary checking; (4) traced the data flow from URL path input through to unvalidated output concatenation.", Path Traversal / Directory Escape", security", significant", missing_dependency", c", ["path-traversal", "curl", "CVE-2023-27534", "sftp", "tilde-expansion", "cold-baseline"]