From 3e6eb18fcea96dfb33af3a2f03ce65444e710ff0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 22 Nov 2021 10:11:59 +0100
Subject: urlapi: reject short file URLs

file URLs that are 6 bytes or shorter are not complete. Return
CURLUE_MALFORMED_INPUT for those. Extended test 1560 to verify.

Triggered by #8041
Closes #8042
---
 lib/urlapi.c            | 4 ++++
 tests/libtest/lib1560.c | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/lib/urlapi.c b/lib/urlapi.c
index b0bce2e7d..ff157c743 100644
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -824,6 +824,10 @@ static CURLUcode seturl(const char *url, CURLU *u, unsigned int flags)
 
   /* handle the file: scheme */
   if(url_has_scheme && !strcmp(schemebuf, "file")) {
+    if(urllen <= 6)
+      /* file:/ is not enough to actually be a complete file: URL */
+      return CURLUE_MALFORMED_INPUT;
+
     /* path has been allocated large enough to hold this */
     strcpy(path, &url[5]);
 
diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c
index de3e3109d..1cc1a60ec 100644
--- a/tests/libtest/lib1560.c
+++ b/tests/libtest/lib1560.c
@@ -267,6 +267,12 @@ static const struct testcase get_parts_list[] ={
   {"file:/hello.html",
    "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [16] | [17]",
    0, 0, CURLUE_OK},
+  {"file:/h",
+   "file | [11] | [12] | [13] | [14] | [15] | /h | [16] | [17]",
+   0, 0, CURLUE_OK},
+  {"file:/",
+   "file | [11] | [12] | [13] | [14] | [15] | | [16] | [17]",
+   0, 0, CURLUE_MALFORMED_INPUT},
   {"file://127.0.0.1/hello.html",
    "file | [11] | [12] | [13] | [14] | [15] | /hello.html | [16] | [17]",
    0, 0, CURLUE_OK},
-- 
cgit v1.2.1