diff options
author | Daniel Stenberg <daniel@haxx.se> | 2022-09-27 17:48:08 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2022-09-28 08:22:42 +0200 |
commit | eb0167ff7d31d3a5e1f01e8b05e25b1bf94bb2a7 (patch) | |
tree | 7f70e98728b2f772786c4180d6b07ca62865c92e /lib/urlapi.c | |
parent | 267668308bca1253d3b415b6f95fa1515365002c (diff) | |
download | curl-eb0167ff7d31d3a5e1f01e8b05e25b1bf94bb2a7.tar.gz |
urlapi: reject more bad characters from the host name field
Extended test 1560 to verify
Report from the ongoing source code audit by Trail of Bits.
Closes #9608
Diffstat (limited to 'lib/urlapi.c')
-rw-r--r-- | lib/urlapi.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/urlapi.c b/lib/urlapi.c index c28960ac1..b3c91a085 100644 --- a/lib/urlapi.c +++ b/lib/urlapi.c @@ -637,7 +637,7 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname, } else { /* letters from the second string are not ok */ - len = strcspn(hostname, " \r\n\t/:#?!@"); + len = strcspn(hostname, " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,"); if(hlen != len) /* hostname with bad content */ return CURLUE_BAD_HOSTNAME; |