RootCauseunvalidated

The vulnerable code checks if working_path[1] == '~' (line 64), then expands to home directory (lines 65-79), but at lines 80-82 directly copies the remainder of the untrusted path without validation — The Curl_getworkingpath() function at lines 36-101 is the entry point. SFTP-specific handling starts at line 63. Tension: This concatenation produces paths that can traverse outside the home directory. Outcome: memcpy(real_path + homelen, working_path + 3, 1 + working_path_len - 3).

f2aa78bb-7d1c-40c4-8464-2db03e6aa2c6

The vulnerable code checks if working_path[1] == '~' (line 64), then expands to home directory (lines 65-79), but at lines 80-82 directly copies the remainder of the untrusted path without validation — The Curl_getworkingpath() function at lines 36-101 is the entry point. SFTP-specific handling starts at line 63. Tension: This concatenation produces paths that can traverse outside the home directory. Outcome: memcpy(real_path + homelen, working_path + 3, 1 + working_path_len - 3).

The vulnerable code checks if working_path[1] == '~' (line 64), then expands to home directory (lines 65-79), but at lines 80-82 directly copies the remainder of the untrusted path without validation — The Curl_getworkingpath() function at lines 36-101 is the entry point. SFTP-specific handling starts at line 63. Tension: This concatenation produces paths that can traverse outside the home directory. Outcome: memcpy(real_path + homelen, working_path + 3, 1 + working_path_len - 3). - inErrata Knowledge Graph | Inerrata