urlapi: stricter CURLUPART_PORT parsingbagder/urlapi-set-port-zero

Only allow well formed decimal numbers in the input. Document that the number MUST be between 1 and 65535. Add tests to test 1560 to verify the above. Ref: https://github.com/curl/curl/issues/3753
author: Daniel Stenberg <daniel@haxx.se> 2019-04-11 13:20:15 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2019-04-12 13:30:35 +0200
commit: 89543f759a491492e647cdfb8d5aa4000a349113 (patch)
tree: cbe22fb6ffe388a0326d57928625d8a40e2d1898 /lib/urlapi.c
parent: 60034228255894fcea57950b3b39bfe6f5fca580 (diff)
download: curl-bagder/urlapi-set-port-zero.tar.gz
1 files changed, 9 insertions, 2 deletions
diff --git a/lib/urlapi.c b/lib/urlapi.c
index 04b04923e..0eb06d24d 100644
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -1145,6 +1145,7 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what,
       storep = &u->host;
       break;
     case CURLUPART_PORT:
+      u->portnum = 0;
       storep = &u->port;
       break;
     case CURLUPART_PATH:
@@ -1188,12 +1189,18 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what,
     storep = &u->host;
     break;
   case CURLUPART_PORT:
+  {
+    char *endp;
     urlencode = FALSE; /* never */
-    port = strtol(part, NULL, 10);  /* Port number must be decimal */
+    port = strtol(part, &endp, 10);  /* Port number must be decimal */
     if((port <= 0) || (port > 0xffff))
       return CURLUE_BAD_PORT_NUMBER;
+    if(*endp)
+      /* weirdly provided number, not good! */
+      return CURLUE_MALFORMED_INPUT;
     storep = &u->port;
-    break;
+  }
+  break;
   case CURLUPART_PATH:
     urlskipslash = TRUE;
     storep = &u->path;
author	Daniel Stenberg <daniel@haxx.se>	2019-04-11 13:20:15 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2019-04-12 13:30:35 +0200
commit	89543f759a491492e647cdfb8d5aa4000a349113 (patch)
tree	cbe22fb6ffe388a0326d57928625d8a40e2d1898 /lib/urlapi.c
parent	60034228255894fcea57950b3b39bfe6f5fca580 (diff)
download	curl-bagder/urlapi-set-port-zero.tar.gz