In the world of software security, subtle bugs in everyday tools can sometimes lead to surprisingly dangerous vulnerabilities. One such example is CVE-2022-27778, which affected the popular tool curl – a command-line program used to transfer data using various network protocols.
This vulnerability, fixed in curl version 7.83.1, is all about what happens when you combine two special options: --no-clobber (don’t overwrite existing files) and --remove-on-error (delete file if an error occurs). Due to incorrectly resolved filenames in some situations, curl could end up deleting the wrong file on your computer. Sounds scary? Let’s break down exactly what happened, using simple language and code examples.
What is Curl and What Happened?
Curl lets you download files from the internet or upload them, using commands in your terminal. It’s used everywhere – in scripts, automated processes, DevOps pipelines, and more.
--no-clobber prevents curl from overwriting a file if it already exists.
- --remove-on-error tells curl to remove the file it just created or tried to create, but only if something goes wrong during transfer.
The Problem: Incorrect Filename Resolution
Internally, curl keeps track of what file it’s writing to. If you download a file and ask it to name the file automatically, curl tries to resolve what to call it. But, there was a bug: in some error cases, curl forgot what it decided to call the file. When it came time to clean up (delete the file after an error), curl would "remember" the wrong filename – possibly deleting a file you never intended curl to touch.
`bash
curl --no-clobber --remove-on-error -O http://example.com/file.txt
Because of --no-clobber, curl should not overwrite or touch this file.
3. If an error occurs during download (maybe the download failed, e.g., bad network or a 404 error), curl tries to clean up by deleting what it *thinks* was the downloaded file.
Wrong file deletion:
Due to the bug, curl might delete the existing file.txt even though it didn’t download/overwrite it, or even worse, delete other files if internal variables were set incorrectly!
Exploit Details: How Could Someone Abuse This?
This bug is more likely to cause accidental data loss than outright hacking, but in some scenarios, a malicious server or attacker could purposefully trigger errors and mislead a script-runner into losing files.
Suppose you have a critical log file in your directory, and you use curl in a script like this
# logs.txt already exists in the directory
curl --no-clobber --remove-on-error -O http://attacker.com/logs.txt
If the server triggers an HTTP 404 error (not found), curl, due to the flaw, could delete your existing logs.txt file by mistake!
Code Walkthrough
In the patch for version 7.83.1, the bug was fixed so that --remove-on-error only removes files that curl actually created during the current command.
Here’s a simplified example of what went wrong
if(error_occured && remove_on_error) {
// Before the fix, this could point to a wrong file!
unlink(filename);
}
With the fix, curl tracks whether the file was newly created
if(error_occured && remove_on_error && file_was_created_by_curl) {
unlink(filename);
}
Timeline and References
- Bug Report: curl Github issue #8832
- Fix commit: db5b3733 in curl repo
- Official CVE Description: nvd.nist.gov entry for CVE-2022-27778
- Release notes: curl 7.83.1 security advisory
Be careful with local files and scripting:
If you automate downloads using curl, make sure you handle error cases carefully. Even outside this bug, it’s good practice.
Conclusion
CVE-2022-27778 teaches us that even the safest-seeming command-line tools can have hidden potholes, especially when rarely-combined options interact in unexpected ways. The curl team fixed this bug quickly, but as users, it’s up to us to update our tools, audit our scripts, and use each option with care.
Stay updated, stay safe, and always remember to test your scripts on sample files!
Further Reading:
- curl security vulnerabilities
- Understanding basic curl options
*Feel free to share your own curl horror stories or experiences with subtle bugs below!*
Timeline
Published on: 06/02/2022 14:15:00 UTC
Last modified on: 07/29/2022 20:15:00 UTC