CVE-2020-8177: curl -J + -i symlink/file-overwrite via rename() in tool_header_cb

CVE-2020-8177: When curl is invoked with both -J (--remote-header-name, Content-Disposition filename) and -i (--include, show headers in output), a malicious server can overwrite arbitrary local files in the working directory.

The bug is in src/tool_cb_hdr.c :: tool_header_cb(). When -i is active, the first HTTP response header (e.g. "HTTP/1.1 200 OK") triggers tool_create_output_file() to open the URL-derived filename, setting outs->stream. Later, when the Content-Disposition header arrives, the code sees outs->stream is set and enters a vulnerable branch that calls rename(outs->filename, cd_filename) — where cd_filename is fully attacker-controlled. This rename() call is POSIX-atomic and overwrites any existing file at cd_filename in the working directory, bypassing the anti-overwrite check in tool_create_output_file().

Secondary TOCTOU symlink attack (no -i needed): tool_create_output_file() checks for existing files using fopen(rb), which follows symlinks. A dangling symlink (target doesn't exist) returns NULL from fopen(rb), bypassing the check, then fopen(wb) follows the same symlink and creates the target file — allowing an attacker to write through a pre-placed symlink to a sensitive path.