diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2021-05-31 08:59:24 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2021-06-15 10:49:49 +0200 |
| commit | b67d3ba73e98cba63dc6246ee0da22ea803ec3e8 (patch) | |
| tree | 5a572311875f11ebd262eaf75d81d6a35b6e9548 /lib/urlapi.c | |
| parent | 8f717b6cf0e55a4caaac4550221b97559a1f9b57 (diff) | |
| download | curl-b67d3ba73e98cba63dc6246ee0da22ea803ec3e8.tar.gz | |
curl_url_set: reject spaces in URLs w/o CURLU_ALLOW_SPACE
They were never officially allowed and slipped in only due to sloppy
parsing. Spaces (ascii 32) should be correctly encoded (to %20) before
being part of a URL.
The new flag bit CURLU_ALLOW_SPACE when a full URL is set, makes libcurl
allow spaces.
Updated test 1560 to verify.
Closes #7073
Diffstat (limited to 'lib/urlapi.c')
| -rw-r--r-- | lib/urlapi.c | 20 |
1 files changed, 10 insertions, 10 deletions
diff --git a/lib/urlapi.c b/lib/urlapi.c index 6483208ec..d6d92cf77 100644 --- a/lib/urlapi.c +++ b/lib/urlapi.c @@ -131,7 +131,7 @@ static const char *find_host_sep(const char *url) */ static bool urlchar_needs_escaping(int c) { - return !(ISCNTRL(c) || ISSPACE(c) || ISGRAPH(c)); + return !(ISCNTRL(c) || ISSPACE(c) || ISGRAPH(c)); } /* @@ -580,7 +580,7 @@ UNITTEST CURLUcode Curl_parse_port(struct Curl_URL *u, char *hostname, } /* scan for byte values < 31 or 127 */ -static CURLUcode junkscan(const char *part) +static bool junkscan(const char *part, unsigned int flags) { if(part) { static const char badbytes[]={ @@ -588,17 +588,18 @@ static CURLUcode junkscan(const char *part) 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, - 0x7f, - 0x00 /* null-terminate */ + 0x7f, 0x00 /* null-terminate */ }; size_t n = strlen(part); size_t nfine = strcspn(part, badbytes); if(nfine != n) /* since we don't know which part is scanned, return a generic error code */ - return CURLUE_MALFORMED_INPUT; + return TRUE; + if(!(flags & CURLU_ALLOW_SPACE) && strchr(part, ' ')) + return TRUE; } - return CURLUE_OK; + return FALSE; } static CURLUcode hostname_check(struct Curl_URL *u, char *hostname) @@ -884,9 +885,8 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) !(flags & CURLU_NON_SUPPORT_SCHEME)) return CURLUE_UNSUPPORTED_SCHEME; - if(junkscan(schemep)) + if(junkscan(schemep, flags)) return CURLUE_MALFORMED_INPUT; - } else { /* no scheme! */ @@ -927,7 +927,7 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) } } - if(junkscan(path)) + if(junkscan(path, flags)) return CURLUE_MALFORMED_INPUT; if((flags & CURLU_URLENCODE) && path[0]) { @@ -991,7 +991,7 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags) /* * Parse the login details and strip them out of the host name. */ - if(junkscan(hostname)) + if(junkscan(hostname, flags)) return CURLUE_MALFORMED_INPUT; result = parse_hostname_login(u, &hostname, flags); |