diff options
author | Daniel Stenberg <daniel@haxx.se> | 2019-04-11 13:20:15 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2019-04-12 13:30:35 +0200 |
commit | 89543f759a491492e647cdfb8d5aa4000a349113 (patch) | |
tree | cbe22fb6ffe388a0326d57928625d8a40e2d1898 /lib/urlapi.c | |
parent | 60034228255894fcea57950b3b39bfe6f5fca580 (diff) | |
download | curl-bagder/urlapi-set-port-zero.tar.gz |
urlapi: stricter CURLUPART_PORT parsingbagder/urlapi-set-port-zero
Only allow well formed decimal numbers in the input.
Document that the number MUST be between 1 and 65535.
Add tests to test 1560 to verify the above.
Ref: https://github.com/curl/curl/issues/3753
Diffstat (limited to 'lib/urlapi.c')
-rw-r--r-- | lib/urlapi.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/lib/urlapi.c b/lib/urlapi.c index 04b04923e..0eb06d24d 100644 --- a/lib/urlapi.c +++ b/lib/urlapi.c @@ -1145,6 +1145,7 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, storep = &u->host; break; case CURLUPART_PORT: + u->portnum = 0; storep = &u->port; break; case CURLUPART_PATH: @@ -1188,12 +1189,18 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, storep = &u->host; break; case CURLUPART_PORT: + { + char *endp; urlencode = FALSE; /* never */ - port = strtol(part, NULL, 10); /* Port number must be decimal */ + port = strtol(part, &endp, 10); /* Port number must be decimal */ if((port <= 0) || (port > 0xffff)) return CURLUE_BAD_PORT_NUMBER; + if(*endp) + /* weirdly provided number, not good! */ + return CURLUE_MALFORMED_INPUT; storep = &u->port; - break; + } + break; case CURLUPART_PATH: urlskipslash = TRUE; storep = &u->path; |