diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2022-12-14 23:41:08 +0100 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2022-12-15 08:23:48 +0100 |
| commit | c20b35ddaeaa09ec7db542a52214546c56c7472c (patch) | |
| tree | 91f2fcd2e42fe39956bc1880d4edbf50d1520d3f | |
| parent | b740f152a8582861de737562d92d81c5e8a3c710 (diff) | |
| download | curl-c20b35ddaeaa09ec7db542a52214546c56c7472c.tar.gz | |
urlapi: reject more bad letters from the host name: &+()
Follow-up from eb0167ff7d31d3a5
Extend test 1560 to verify
Closes #10096
| -rw-r--r-- | lib/urlapi.c | 2 | ||||
| -rw-r--r-- | tests/libtest/lib1560.c | 12 |
2 files changed, 9 insertions, 5 deletions
diff --git a/lib/urlapi.c b/lib/urlapi.c index 7dac81c85..b96af35ad 100644 --- a/lib/urlapi.c +++ b/lib/urlapi.c @@ -636,7 +636,7 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname, } else { /* letters from the second string are not ok */ - len = strcspn(hostname, " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,"); + len = strcspn(hostname, " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,+&()"); if(hlen != len) /* hostname with bad content */ return CURLUE_BAD_HOSTNAME; diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c index 42300cfd7..f27864c8d 100644 --- a/tests/libtest/lib1560.c +++ b/tests/libtest/lib1560.c @@ -160,6 +160,10 @@ static const struct testcase get_parts_list[] ={ {"https://exam=ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME}, {"https://exam;ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME}, {"https://example,net", "", 0, 0, CURLUE_BAD_HOSTNAME}, + {"https://example&net", "", 0, 0, CURLUE_BAD_HOSTNAME}, + {"https://example+net", "", 0, 0, CURLUE_BAD_HOSTNAME}, + {"https://example(net", "", 0, 0, CURLUE_BAD_HOSTNAME}, + {"https://example)net", "", 0, 0, CURLUE_BAD_HOSTNAME}, {"https://example.net/}", "https | [11] | [12] | [13] | example.net | [15] | /} | [16] | [17]", 0, 0, CURLUE_OK}, @@ -466,8 +470,8 @@ static const struct urltestcase get_url_list[] = { {"https://0xff.0xff.0377.255", "https://255.255.255.255/", 0, 0, CURLUE_OK}, {"https://1.0xffffff", "https://1.255.255.255/", 0, 0, CURLUE_OK}, /* IPv4 numerical overflows or syntax errors will not normalize */ - {"https://+127.0.0.1", "https://+127.0.0.1/", 0, 0, CURLUE_OK}, - {"https://+127.0.0.1", "https://%2B127.0.0.1/", 0, CURLU_URLENCODE, + {"https://a127.0.0.1", "https://a127.0.0.1/", 0, 0, CURLUE_OK}, + {"https://\xff.127.0.0.1", "https://%FF.127.0.0.1/", 0, CURLU_URLENCODE, CURLUE_OK}, {"https://127.-0.0.1", "https://127.-0.0.1/", 0, 0, CURLUE_OK}, {"https://127.0. 1", "https://127.0.0.1/", 0, 0, CURLUE_BAD_HOSTNAME}, @@ -632,9 +636,9 @@ static int checkurl(const char *url, const char *out) /* !checksrc! disable SPACEBEFORECOMMA 1 */ static const struct setcase set_parts_list[] = { {"https://example.com/", - "host=++,", /* '++' there's no automatic URL decode when settin this + "host=0xff,", /* '++' there's no automatic URL decode when settin this part */ - "https://++/", + "https://0xff/", 0, /* get */ 0, /* set */ CURLUE_OK, CURLUE_OK}, |