Arbitrary File Deletion Vulnerability in curl Source Code via os.unlink()

## Summary: The curl source code's testing scripts contain instances where the os.unlink() function is used to delete files without validating the input file paths. This introduces a risk of arbitrary file deletion when these scripts are executed with malicious or manipulated inputs. Although the vulnerability is present in test scripts, it could lead to unintended consequences if these scripts are used in shared or automated environments. ## Steps To Reproduce: 1.Clone the curl repository using (https://github.com/curl/curl.git) 2.move to tests directory. 3.Identify the affected scripts: The following scripts and lines contain vulnerabilities: tests/negtelnetserver.py (Line 366) tests/dictserver.py (Line 183) tests/smbserver.py (Lines 96, 450) 4.Simulate malicious input: --> Identify the specific script and input options (e.g., options.pidfile) in the affected code. --> Modify the options.pidfile or related variable to point to a sensitive system file (e.g., /etc/passwd). --> Trigger the script which leads to leading to the deletion of the specified file. Edit a script to simulate an attacker-controlled input. For example, in negtelnetserver.py: # Original code: os.unlink(options.pidfile) # Malicious input simulation: options.pidfile = "/etc/passwd" # Replace this with a critical or sensitive file os.unlink(options.pidfile) 5.Run the vulnerable script: Execute the script after modifying the input. python3 negtelnetserver.py 6. Observe the results: When script is executed, which is leading to deletion of the specified file. ## Supporting Material/References: CWE-20: Improper Input Validation Example: Allowing user-controlled values for options.pidfile without ensuring they refer to a valid file in an allowed directory. CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Example: An attacker supplies a path like ../../../etc/passwd for deletion. CWE-732: Incorrect Permission Assignment for Critical Resource Example: Allowing os.unlink() to execute on sensitive files. CWE-552: Files or Directories Accessible to External Parties Example: Allowing external parties to set options.pidfile to a sensitive file path. CWE-610: Externally Controlled Reference to a Resource in Another Sphere Example: Allowing the attacker to specify arbitrary file paths for deletion. ## Impact Unvalidated file paths passed to os.unlink() may allow an attacker to: Delete arbitrary files, potentially causing system instability or downtime. Target critical system files for deletion (Ex:logs, configuration files). Affect multi-user systems by deleting files belonging to other users.