parse_proxy: reject illegal port numbers

If the port number in the proxy string ended weirdly or the number is too large, skip it. Mostly as a means to bail out early if a "bare" IPv6 numerical address is used without enclosing brackets. Also mention the bracket requirement for IPv6 numerical addresses to the man page for CURLOPT_PROXY. Closes #415 Reported-by: Marcel Raad
author: Daniel Stenberg <daniel@haxx.se> 2015-09-08 13:42:48 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2015-09-08 15:17:00 +0200
commit: 87e533ace035849c612968fbad0a55dc93a93185 (patch)
tree: d48637cde9df0d4e1da45a0a6bf6579089ab601b
parent: 27620171ffe1a47735de706aa0b0a66d45f867ed (diff)
download: curl-87e533ace035849c612968fbad0a55dc93a93185.tar.gz
2 files changed, 18 insertions, 4 deletions
diff --git a/docs/libcurl/opts/CURLOPT_PROXY.3 b/docs/libcurl/opts/CURLOPT_PROXY.3
index b419e51bc..cf5c7574c 100644
--- a/docs/libcurl/opts/CURLOPT_PROXY.3
+++ b/docs/libcurl/opts/CURLOPT_PROXY.3
@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -29,8 +29,8 @@ CURLOPT_PROXY \- set proxy to use
 CURLcode curl_easy_setopt(CURL *handle, CURLOPT_PROXY, char *proxy);
 .SH DESCRIPTION
 Set the \fIproxy\fP to use for the upcoming request. The parameter should be a
-char * to a zero terminated string holding the host name or dotted IP
-address.
+char * to a zero terminated string holding the host name or dotted numerical
+IP address. A numerical IPv6 address must be written within [brackets].
 
 To specify port number in this string, append :[port] to the end of the host
 name. The proxy's port number may optionally be specified with the separate
diff --git a/lib/url.c b/lib/url.c
index d572f0195..dccd7109e 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -4640,10 +4640,24 @@ static CURLcode parse_proxy(struct SessionHandle *data,
   /* Get port number off proxy.server.com:1080 */
   prox_portno = strchr(portptr, ':');
   if(prox_portno) {
+    char *endp = NULL;
+    long port = 0;
     *prox_portno = 0x0; /* cut off number from host name */
     prox_portno ++;
     /* now set the local port number */
-    conn->port = strtol(prox_portno, NULL, 10);
+    port = strtol(prox_portno, &endp, 10);
+    if((endp && *endp && (*endp != '/') && (*endp != ' ')) ||
+       (port >= 65536) ) {
+      /* meant to detect for example invalid IPv6 numerical addresses without
+         brackets: "2a00:fac0:a000::7:13". Accept a trailing slash only
+         because we then allow "URL style" with the number followed by a
+         slash, used in curl test cases already. Space is also an acceptable
+         terminating symbol. */
+      infof(data, "No valid port number in proxy string (%s)\n",
+            prox_portno);
+    }
+    else
+      conn->port = port;
   }
   else {
     if(proxyptr[0]=='/')
author	Daniel Stenberg <daniel@haxx.se>	2015-09-08 13:42:48 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2015-09-08 15:17:00 +0200
commit	87e533ace035849c612968fbad0a55dc93a93185 (patch)
tree	d48637cde9df0d4e1da45a0a6bf6579089ab601b
parent	27620171ffe1a47735de706aa0b0a66d45f867ed (diff)
download	curl-87e533ace035849c612968fbad0a55dc93a93185.tar.gz