From ae1912cb0d494b48d514d937826c9fe83ec96c4d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 29 Dec 1999 14:20:26 +0000 Subject: Initial revision --- lib/escape.c | 111 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 lib/escape.c (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c new file mode 100644 index 000000000..68000cd71 --- /dev/null +++ b/lib/escape.c @@ -0,0 +1,111 @@ +/***************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * The contents of this file are subject to the Mozilla Public License + * Version 1.0 (the "License"); you may not use this file except in + * compliance with the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" + * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the + * License for the specific language governing rights and limitations + * under the License. + * + * The Original Code is Curl. + * + * The Initial Developer of the Original Code is Daniel Stenberg. + * + * Portions created by the Initial Developer are Copyright (C) 1998. + * All Rights Reserved. + * + * ------------------------------------------------------------ + * Main author: + * - Daniel Stenberg + * + * http://curl.haxx.nu + * + * $Source$ + * $Revision$ + * $Date$ + * $Author$ + * $State$ + * $Locker$ + * + * ------------------------------------------------------------ + ****************************************************************************/ + +/* Escape and unescape URL encoding in strings. The functions return a new + * allocated string or NULL if an error occurred. */ + +#include +#include +#include + +char *curl_escape(char *string) +{ + int alloc=strlen(string); + char *ns = malloc(alloc); + unsigned char in; + int newlen = alloc; + int index=0; + + while(*string) { + in = *string; + if(' ' == in) + ns[index++] = '+'; + else if(!(in >= 'a' && in <= 'z') && + !(in >= 'A' && in <= 'Z') && + !(in >= '0' && in <= '9')) { + /* encode it */ + newlen += 2; /* the size grows with two, since this'll become a %XX */ + if(newlen > alloc) { + alloc *= 2; + ns = realloc(ns, alloc); + if(!ns) + return NULL; + } + sprintf(&ns[index], "%%%02X", in); + index+=3; + } + else { + /* just copy this */ + ns[index++]=in; + } + string++; + } + ns[index]=0; /* terminate it */ + return ns; +} + +char *curl_unescape(char *string) +{ + int alloc = strlen(string); + char *ns = malloc(alloc); + unsigned char in; + int index=0; + int hex; + + + while(*string) { + in = *string; + if('+' == in) + in = ' '; + else if('%' == in) { + /* encoded part */ + if(sscanf(string+1, "%02X", &hex)) { + in = hex; + string+=2; + } + } + + ns[index++] = in; + string++; + } + ns[index]=0; /* terminate it */ + return ns; + +} -- cgit v1.2.1 From 211b9e552ddd0d612c7963e34d6fb2791a841ae7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 20 Mar 2000 10:22:12 +0000 Subject: curl_unescape() could make a buffer overflow --- lib/escape.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 68000cd71..274cd2dcd 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -47,7 +47,7 @@ char *curl_escape(char *string) { - int alloc=strlen(string); + int alloc=strlen(string)+1; char *ns = malloc(alloc); unsigned char in; int newlen = alloc; @@ -83,7 +83,7 @@ char *curl_escape(char *string) char *curl_unescape(char *string) { - int alloc = strlen(string); + int alloc = strlen(string)+1; char *ns = malloc(alloc); unsigned char in; int index=0; -- cgit v1.2.1 From 96dde76b99897352aa3d0877a0b621a9e605733e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 22 May 2000 14:12:12 +0000 Subject: moved here from the newlib branch --- lib/escape.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 274cd2dcd..6ac8847a6 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -81,16 +81,15 @@ char *curl_escape(char *string) return ns; } -char *curl_unescape(char *string) +char *curl_unescape(char *string, int length) { - int alloc = strlen(string)+1; + int alloc = (length?length:strlen(string))+1; char *ns = malloc(alloc); unsigned char in; int index=0; int hex; - - - while(*string) { + + while(--alloc) { in = *string; if('+' == in) in = ' '; -- cgit v1.2.1 From 1ef3600a0731fef8f59563a1e49981f1b64b9746 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 20 Jun 2000 15:31:26 +0000 Subject: haxx.nu => haxx.se --- lib/escape.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 6ac8847a6..0a8c5cf37 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -24,9 +24,9 @@ * * ------------------------------------------------------------ * Main author: - * - Daniel Stenberg + * - Daniel Stenberg * - * http://curl.haxx.nu + * http://curl.haxx.se * * $Source$ * $Revision$ -- cgit v1.2.1 From 60eab89f10319fed1b5c6174a301b25f514c72b1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 31 Aug 2000 12:03:04 +0000 Subject: in unescape(), '+' is now only converted to space after the first '?' --- lib/escape.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 0a8c5cf37..c728b80f8 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -41,6 +41,9 @@ /* Escape and unescape URL encoding in strings. The functions return a new * allocated string or NULL if an error occurred. */ +#include "setup.h" +#include + #include #include #include @@ -88,17 +91,24 @@ char *curl_unescape(char *string, int length) unsigned char in; int index=0; int hex; + char querypart=FALSE; /* everything to the right of a '?' letter is + the "query part" where '+' should become ' '. + RFC 2316, section 3.10 */ while(--alloc) { in = *string; - if('+' == in) - in = ' '; + if(querypart && ('+' == in)) + in = ' '; + else if(!querypart && ('?' == in)) { + /* we have "walked in" to the query part */ + querypart=TRUE; + } else if('%' == in) { - /* encoded part */ - if(sscanf(string+1, "%02X", &hex)) { - in = hex; - string+=2; - } + /* encoded part */ + if(sscanf(string+1, "%02X", &hex)) { + in = hex; + string+=2; + } } ns[index++] = in; -- cgit v1.2.1 From 0f8facb49b45a711fa7832c68260a5b45b362922 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 9 Oct 2000 11:12:34 +0000 Subject: added memory debugging include file --- lib/escape.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index c728b80f8..048fd0f99 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -48,6 +48,11 @@ #include #include +/* The last #include file should be: */ +#ifdef MALLOCDEBUG +#include "memdebug.h" +#endif + char *curl_escape(char *string) { int alloc=strlen(string)+1; -- cgit v1.2.1 From b734bc37eb683451fb68a04466c3da8a54597fdf Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 21 Nov 2000 19:01:53 +0000 Subject: curl_unescape() did not stop at the set length properly when %-codes were used --- lib/escape.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 048fd0f99..74d8deea8 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -100,7 +100,7 @@ char *curl_unescape(char *string, int length) the "query part" where '+' should become ' '. RFC 2316, section 3.10 */ - while(--alloc) { + while(--alloc > 0) { in = *string; if(querypart && ('+' == in)) in = ' '; @@ -113,6 +113,7 @@ char *curl_unescape(char *string, int length) if(sscanf(string+1, "%02X", &hex)) { in = hex; string+=2; + alloc-=2; } } -- cgit v1.2.1 From 24dee483e9e925c2ab79dd582f70c9a55ab9ba4d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 3 Jan 2001 09:29:33 +0000 Subject: dual-license fix --- lib/escape.c | 39 +++++++++++---------------------------- 1 file changed, 11 insertions(+), 28 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 74d8deea8..df8917842 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -5,38 +5,21 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * The contents of this file are subject to the Mozilla Public License - * Version 1.0 (the "License"); you may not use this file except in - * compliance with the License. You may obtain a copy of the License at - * http://www.mozilla.org/MPL/ + * Copyright (C) 2000, Daniel Stenberg, , et al. * - * Software distributed under the License is distributed on an "AS IS" - * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See the - * License for the specific language governing rights and limitations - * under the License. + * In order to be useful for every potential user, curl and libcurl are + * dual-licensed under the MPL and the MIT/X-derivate licenses. * - * The Original Code is Curl. + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the MPL or the MIT/X-derivate + * licenses. You may pick one of these licenses. * - * The Initial Developer of the Original Code is Daniel Stenberg. + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. * - * Portions created by the Initial Developer are Copyright (C) 1998. - * All Rights Reserved. - * - * ------------------------------------------------------------ - * Main author: - * - Daniel Stenberg - * - * http://curl.haxx.se - * - * $Source$ - * $Revision$ - * $Date$ - * $Author$ - * $State$ - * $Locker$ - * - * ------------------------------------------------------------ - ****************************************************************************/ + * $Id$ + *****************************************************************************/ /* Escape and unescape URL encoding in strings. The functions return a new * allocated string or NULL if an error occurred. */ -- cgit v1.2.1 From 0dc8c4d4511e4981a9823298df3cc2cc5d866329 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 9 Mar 2001 15:11:39 +0000 Subject: use unsigned int hex to receive the hex digit in, caused a warning with -Wall and a new gcc --- lib/escape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index df8917842..ddb364a9c 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -78,7 +78,7 @@ char *curl_unescape(char *string, int length) char *ns = malloc(alloc); unsigned char in; int index=0; - int hex; + unsigned int hex; char querypart=FALSE; /* everything to the right of a '?' letter is the "query part" where '+' should become ' '. RFC 2316, section 3.10 */ -- cgit v1.2.1 From f8d883355d8a0965534ef8a6da99bd7195cf56d0 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 22 Mar 2001 11:40:58 +0000 Subject: the new escape/unescape function setup --- lib/escape.c | 120 +++++++++++++++++++++++++++++------------------------------ 1 file changed, 60 insertions(+), 60 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index ddb364a9c..f0e67d38f 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -36,74 +36,74 @@ #include "memdebug.h" #endif -char *curl_escape(char *string) +char *curl_escape(char *string, int length) { - int alloc=strlen(string)+1; - char *ns = malloc(alloc); - unsigned char in; - int newlen = alloc; - int index=0; + int alloc = (length?length:strlen(string))+1; + char *ns = malloc(alloc); + unsigned char in; + int newlen = alloc; + int index=0; - while(*string) { - in = *string; - if(' ' == in) - ns[index++] = '+'; - else if(!(in >= 'a' && in <= 'z') && - !(in >= 'A' && in <= 'Z') && - !(in >= '0' && in <= '9')) { - /* encode it */ - newlen += 2; /* the size grows with two, since this'll become a %XX */ - if(newlen > alloc) { - alloc *= 2; - ns = realloc(ns, alloc); - if(!ns) - return NULL; - } - sprintf(&ns[index], "%%%02X", in); - index+=3; + while(length--) { + in = *string; + if(' ' == in) + ns[index++] = '+'; + else if(!(in >= 'a' && in <= 'z') && + !(in >= 'A' && in <= 'Z') && + !(in >= '0' && in <= '9')) { + /* encode it */ + newlen += 2; /* the size grows with two, since this'll become a %XX */ + if(newlen > alloc) { + alloc *= 2; + ns = realloc(ns, alloc); + if(!ns) + return NULL; } - else { - /* just copy this */ - ns[index++]=in; - } - string++; - } - ns[index]=0; /* terminate it */ - return ns; + sprintf(&ns[index], "%%%02X", in); + index+=3; + } + else { + /* just copy this */ + ns[index++]=in; + } + string++; + } + ns[index]=0; /* terminate it */ + return ns; } char *curl_unescape(char *string, int length) { - int alloc = (length?length:strlen(string))+1; - char *ns = malloc(alloc); - unsigned char in; - int index=0; - unsigned int hex; - char querypart=FALSE; /* everything to the right of a '?' letter is - the "query part" where '+' should become ' '. - RFC 2316, section 3.10 */ + int alloc = (length?length:strlen(string))+1; + char *ns = malloc(alloc); + unsigned char in; + int index=0; + unsigned int hex; + char querypart=FALSE; /* everything to the right of a '?' letter is + the "query part" where '+' should become ' '. + RFC 2316, section 3.10 */ - while(--alloc > 0) { - in = *string; - if(querypart && ('+' == in)) - in = ' '; - else if(!querypart && ('?' == in)) { - /* we have "walked in" to the query part */ - querypart=TRUE; - } - else if('%' == in) { - /* encoded part */ - if(sscanf(string+1, "%02X", &hex)) { - in = hex; - string+=2; - alloc-=2; - } + while(--alloc > 0) { + in = *string; + if(querypart && ('+' == in)) + in = ' '; + else if(!querypart && ('?' == in)) { + /* we have "walked in" to the query part */ + querypart=TRUE; + } + else if('%' == in) { + /* encoded part */ + if(sscanf(string+1, "%02X", &hex)) { + in = hex; + string+=2; + alloc-=2; } - - ns[index++] = in; - string++; - } - ns[index]=0; /* terminate it */ - return ns; + } + + ns[index++] = in; + string++; + } + ns[index]=0; /* terminate it */ + return ns; } -- cgit v1.2.1 From 58085dbbf61e2fb11d0d62438be8343cc6c8df9e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 22 Mar 2001 18:06:08 +0000 Subject: Jim Drash suggested and I made it not encode what looks like an already encoded letter (in curl_escape) --- lib/escape.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index f0e67d38f..a753697e5 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -25,6 +25,7 @@ * allocated string or NULL if an error occurred. */ #include "setup.h" +#include #include #include @@ -52,14 +53,28 @@ char *curl_escape(char *string, int length) !(in >= 'A' && in <= 'Z') && !(in >= '0' && in <= '9')) { /* encode it */ - newlen += 2; /* the size grows with two, since this'll become a %XX */ - if(newlen > alloc) { - alloc *= 2; - ns = realloc(ns, alloc); - if(!ns) - return NULL; + if(('%' == in) && + (length>=2) && + isxdigit((int)string[1]) && + isxdigit((int)string[2]) ) { + /* + * This is an already encoded letter, leave it! + */ + memcpy(&ns[index], string, 3); + string+=2; + } + else { + /* encode this now */ + + newlen += 2; /* the size grows with two, since this'll become a %XX */ + if(newlen > alloc) { + alloc *= 2; + ns = realloc(ns, alloc); + if(!ns) + return NULL; + } + sprintf(&ns[index], "%%%02X", in); } - sprintf(&ns[index], "%%%02X", in); index+=3; } else { -- cgit v1.2.1 From 84e71e1c500dca251deb98c3c5b8af7765861ebc Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 7 Apr 2001 18:35:28 +0000 Subject: =?UTF-8?q?Andr=E9s=20Garc=EDa=20fixed=20curl=5Fescape()?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- lib/escape.c | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index a753697e5..140bd655e 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -45,6 +45,7 @@ char *curl_escape(char *string, int length) int newlen = alloc; int index=0; + length = alloc-1; while(length--) { in = *string; if(' ' == in) -- cgit v1.2.1 From 2827f5327aad6a0341b4ed3231e414ff9a980101 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 5 Aug 2001 12:34:07 +0000 Subject: curl_escape() no longer attempts to detect already encoded stuff (in order not to re-encode it). --- lib/escape.c | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 140bd655e..b5d35255d 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -54,28 +54,15 @@ char *curl_escape(char *string, int length) !(in >= 'A' && in <= 'Z') && !(in >= '0' && in <= '9')) { /* encode it */ - if(('%' == in) && - (length>=2) && - isxdigit((int)string[1]) && - isxdigit((int)string[2]) ) { - /* - * This is an already encoded letter, leave it! - */ - memcpy(&ns[index], string, 3); - string+=2; + newlen += 2; /* the size grows with two, since this'll become a %XX */ + if(newlen > alloc) { + alloc *= 2; + ns = realloc(ns, alloc); + if(!ns) + return NULL; } - else { - /* encode this now */ + sprintf(&ns[index], "%%%02X", in); - newlen += 2; /* the size grows with two, since this'll become a %XX */ - if(newlen > alloc) { - alloc *= 2; - ns = realloc(ns, alloc); - if(!ns) - return NULL; - } - sprintf(&ns[index], "%%%02X", in); - } index+=3; } else { -- cgit v1.2.1 From 7b4b166718cb01b170668e916d0bad09518eacc1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 14 Aug 2001 08:20:17 +0000 Subject: added typecasts when converting from unsigned int to int --- lib/escape.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index b5d35255d..167129df6 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -39,7 +39,7 @@ char *curl_escape(char *string, int length) { - int alloc = (length?length:strlen(string))+1; + int alloc = (length?length:(int)strlen(string))+1; char *ns = malloc(alloc); unsigned char in; int newlen = alloc; @@ -77,7 +77,7 @@ char *curl_escape(char *string, int length) char *curl_unescape(char *string, int length) { - int alloc = (length?length:strlen(string))+1; + int alloc = (length?length:(int)strlen(string))+1; char *ns = malloc(alloc); unsigned char in; int index=0; -- cgit v1.2.1 From 08655d8d5d0ea980227096366c231693198e61d6 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 21 Aug 2001 13:18:07 +0000 Subject: Georg Huettenegger's patch curl-7.8.1-pre5-patch-20010819 --- lib/escape.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 167129df6..ab355bf0f 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -37,7 +37,7 @@ #include "memdebug.h" #endif -char *curl_escape(char *string, int length) +char *curl_escape(const char *string, int length) { int alloc = (length?length:(int)strlen(string))+1; char *ns = malloc(alloc); @@ -75,7 +75,7 @@ char *curl_escape(char *string, int length) return ns; } -char *curl_unescape(char *string, int length) +char *curl_unescape(const char *string, int length) { int alloc = (length?length:(int)strlen(string))+1; char *ns = malloc(alloc); -- cgit v1.2.1 From 6147879837a53d22c9be04e7a4fc315a297ba2b3 Mon Sep 17 00:00:00 2001 From: Sterling Hughes Date: Fri, 7 Sep 2001 04:01:32 +0000 Subject: Added formatting sections for emacs and vim --- lib/escape.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index ab355bf0f..10a863ece 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -110,3 +110,11 @@ char *curl_unescape(const char *string, int length) return ns; } + +/* + * local variables: + * eval: (load-file "../curl-mode.el") + * end: + * vim600: et sw=2 ts=2 sts=2 tw=78 fdm=marker + * vim<600: et sw=2 ts=2 sts=2 tw=78 + */ -- cgit v1.2.1 From 8e91d5de8e4e17ce3d4936cc91171d09726e7bb3 Mon Sep 17 00:00:00 2001 From: Sterling Hughes Date: Thu, 11 Oct 2001 09:32:19 +0000 Subject: looks nicer and is better compatible with older vim versions --- lib/escape.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 10a863ece..88f4359f7 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -115,6 +115,6 @@ char *curl_unescape(const char *string, int length) * local variables: * eval: (load-file "../curl-mode.el") * end: - * vim600: et sw=2 ts=2 sts=2 tw=78 fdm=marker - * vim<600: et sw=2 ts=2 sts=2 tw=78 + * vim600: fdm=marker + * vim: et sw=2 ts=2 sts=2 tw=78 */ -- cgit v1.2.1 From 974f314f5785156af6983675aeb28313cc8ba2ea Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 19 Mar 2002 07:54:55 +0000 Subject: copyright string (year) update --- lib/escape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 88f4359f7..f798327a8 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 2000, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2002, Daniel Stenberg, , et al. * * In order to be useful for every potential user, curl and libcurl are * dual-licensed under the MPL and the MIT/X-derivate licenses. -- cgit v1.2.1 From 2f8e7f56b32f7ccf6c5f18a310d170289dfd4e1c Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 26 Jun 2002 07:15:31 +0000 Subject: ignore '+' in URLs, generate only %-codes --- lib/escape.c | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index f798327a8..15ce3e3fa 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -48,11 +48,9 @@ char *curl_escape(const char *string, int length) length = alloc-1; while(length--) { in = *string; - if(' ' == in) - ns[index++] = '+'; - else if(!(in >= 'a' && in <= 'z') && - !(in >= 'A' && in <= 'Z') && - !(in >= '0' && in <= '9')) { + if(!(in >= 'a' && in <= 'z') && + !(in >= 'A' && in <= 'Z') && + !(in >= '0' && in <= '9')) { /* encode it */ newlen += 2; /* the size grows with two, since this'll become a %XX */ if(newlen > alloc) { @@ -82,19 +80,10 @@ char *curl_unescape(const char *string, int length) unsigned char in; int index=0; unsigned int hex; - char querypart=FALSE; /* everything to the right of a '?' letter is - the "query part" where '+' should become ' '. - RFC 2316, section 3.10 */ while(--alloc > 0) { in = *string; - if(querypart && ('+' == in)) - in = ' '; - else if(!querypart && ('?' == in)) { - /* we have "walked in" to the query part */ - querypart=TRUE; - } - else if('%' == in) { + if('%' == in) { /* encoded part */ if(sscanf(string+1, "%02X", &hex)) { in = hex; -- cgit v1.2.1 From ba4e69bebc8f7f32f3bc7faa1e13e7580754075b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 3 Sep 2002 11:52:59 +0000 Subject: updated source code boilerplate/header --- lib/escape.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 15ce3e3fa..bb8722e14 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -1,4 +1,4 @@ -/***************************************************************************** +/*************************************************************************** * _ _ ____ _ * Project ___| | | | _ \| | * / __| | | | |_) | | @@ -7,19 +7,19 @@ * * Copyright (C) 1998 - 2002, Daniel Stenberg, , et al. * - * In order to be useful for every potential user, curl and libcurl are - * dual-licensed under the MPL and the MIT/X-derivate licenses. - * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at http://curl.haxx.se/docs/copyright.html. + * * You may opt to use, copy, modify, merge, publish, distribute and/or sell * copies of the Software, and permit persons to whom the Software is - * furnished to do so, under the terms of the MPL or the MIT/X-derivate - * licenses. You may pick one of these licenses. + * furnished to do so, under the terms of the COPYING file. * * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY * KIND, either express or implied. * * $Id$ - *****************************************************************************/ + ***************************************************************************/ /* Escape and unescape URL encoding in strings. The functions return a new * allocated string or NULL if an error occurred. */ -- cgit v1.2.1 From 6883f0c49fc0ad41a08d885990fe62fa6d66b40f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 25 Sep 2002 12:26:07 +0000 Subject: Walter J. Mack added curl_free --- lib/escape.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index bb8722e14..0ec7ae5c0 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -100,6 +100,11 @@ char *curl_unescape(const char *string, int length) } +void curl_free(void *p) +{ + free(p); +} + /* * local variables: * eval: (load-file "../curl-mode.el") -- cgit v1.2.1 From 6a7e53a7c7fa468d25adc5d6bda9b6bf6c1abc8c Mon Sep 17 00:00:00 2001 From: Jean-Philippe Barette-LaPierre Date: Wed, 8 Jan 2003 02:27:47 +0000 Subject: fixed a very, very rare and very, very little memory leak --- lib/escape.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 0ec7ae5c0..b35333ddf 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -41,6 +41,7 @@ char *curl_escape(const char *string, int length) { int alloc = (length?length:(int)strlen(string))+1; char *ns = malloc(alloc); + char *testing_ptr = NULL; unsigned char in; int newlen = alloc; int index=0; @@ -55,9 +56,14 @@ char *curl_escape(const char *string, int length) newlen += 2; /* the size grows with two, since this'll become a %XX */ if(newlen > alloc) { alloc *= 2; - ns = realloc(ns, alloc); - if(!ns) + testing_ptr = realloc(ns, alloc); + if(!testing_ptr) { + free( ns ); return NULL; + } + else { + ns = testing_ptr; + } } sprintf(&ns[index], "%%%02X", in); @@ -80,6 +86,10 @@ char *curl_unescape(const char *string, int length) unsigned char in; int index=0; unsigned int hex; + + if( !ns ) { + return NULL; + } while(--alloc > 0) { in = *string; @@ -97,7 +107,6 @@ char *curl_unescape(const char *string, int length) } ns[index]=0; /* terminate it */ return ns; - } void curl_free(void *p) -- cgit v1.2.1 From f26a338a54e04d0a6907f5d2479d8b0fa9daf297 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 16 Jan 2003 21:08:12 +0000 Subject: copyright year update in the source header --- lib/escape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index b35333ddf..05606cbdc 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2002, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2003, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms -- cgit v1.2.1 From a7c72b7abf1213c471f3fd11e6b8e3a37d526f60 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 29 Jan 2003 10:14:20 +0000 Subject: removed the local variables for emacs and vim, use the new sample.emacs way for emacs, and vim users should provide a similar non-polluting style --- lib/escape.c | 8 -------- 1 file changed, 8 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 05606cbdc..4dfdfa9a8 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -113,11 +113,3 @@ void curl_free(void *p) { free(p); } - -/* - * local variables: - * eval: (load-file "../curl-mode.el") - * end: - * vim600: fdm=marker - * vim: et sw=2 ts=2 sts=2 tw=78 - */ -- cgit v1.2.1 From 23563255921b055db38867a997806d139039061e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 21 May 2003 15:53:59 +0000 Subject: David Balazic pointed out the lack of checks for a valid %XX code when we unescape a string. We now check and decode only valid %XX strings. --- lib/escape.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 4dfdfa9a8..354b284e2 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -79,6 +79,10 @@ char *curl_escape(const char *string, int length) return ns; } +#define ishex(in) ((in >= 'a' && in <= 'f') || \ + (in >= 'A' && in <= 'F') || \ + (in >= '0' && in <= '9')) + char *curl_unescape(const char *string, int length) { int alloc = (length?length:(int)strlen(string))+1; @@ -93,13 +97,19 @@ char *curl_unescape(const char *string, int length) while(--alloc > 0) { in = *string; - if('%' == in) { - /* encoded part */ - if(sscanf(string+1, "%02X", &hex)) { - in = hex; - string+=2; - alloc-=2; - } + if(('%' == in) && ishex(string[1]) && ishex(string[2])) { + /* this is two hexadecimal digits following a '%' */ + char hexstr[3]; + char *ptr; + hexstr[0] = string[1]; + hexstr[1] = string[2]; + hexstr[2] = 0; + + hex = strtol(hexstr, &ptr, 16); + + in = hex; + string+=2; + alloc-=2; } ns[index++] = in; @@ -109,6 +119,9 @@ char *curl_unescape(const char *string, int length) return ns; } +/* For operating systems/environments that use different malloc/free + ssystems for the app and for this library, we provide a free that uses + the library's memory system */ void curl_free(void *p) { free(p); -- cgit v1.2.1 From 2bd71d70ff8b14649840e16b497acf0ca1e0e32f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 26 Jun 2003 06:50:32 +0000 Subject: use CURLDEBUG instead of MALLOCDEBUG --- lib/escape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 354b284e2..21acfae2d 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -33,7 +33,7 @@ #include /* The last #include file should be: */ -#ifdef MALLOCDEBUG +#ifdef CURLDEBUG #include "memdebug.h" #endif -- cgit v1.2.1 From 053f6c85efd0bf698f73343989474d672d0563a8 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 7 Jan 2004 09:19:33 +0000 Subject: updated year in the copyright string --- lib/escape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 21acfae2d..2ecec11b0 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2003, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2004, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms -- cgit v1.2.1 From 4d17d6876e4b2f08380812c4ec113073b0a14639 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 29 Jan 2004 13:56:45 +0000 Subject: Dan Fandrich's cleanup patch to make pedantic compiler options cause less warnings. Minor edits by me. --- lib/escape.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 2ecec11b0..87a9f1b9e 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -44,7 +44,7 @@ char *curl_escape(const char *string, int length) char *testing_ptr = NULL; unsigned char in; int newlen = alloc; - int index=0; + int strindex=0; length = alloc-1; while(length--) { @@ -65,17 +65,17 @@ char *curl_escape(const char *string, int length) ns = testing_ptr; } } - sprintf(&ns[index], "%%%02X", in); + sprintf(&ns[strindex], "%%%02X", in); - index+=3; + strindex+=3; } else { /* just copy this */ - ns[index++]=in; + ns[strindex++]=in; } string++; } - ns[index]=0; /* terminate it */ + ns[strindex]=0; /* terminate it */ return ns; } @@ -88,7 +88,7 @@ char *curl_unescape(const char *string, int length) int alloc = (length?length:(int)strlen(string))+1; char *ns = malloc(alloc); unsigned char in; - int index=0; + int strindex=0; unsigned int hex; if( !ns ) { @@ -112,10 +112,10 @@ char *curl_unescape(const char *string, int length) alloc-=2; } - ns[index++] = in; + ns[strindex++] = in; string++; } - ns[index]=0; /* terminate it */ + ns[strindex]=0; /* terminate it */ return ns; } -- cgit v1.2.1 From a684c51c9b2e055e409b77dc0a61d96bdec7490f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 8 Mar 2004 08:38:29 +0000 Subject: size_t/int/long fixes --- lib/escape.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 87a9f1b9e..23c3821fa 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -39,11 +39,11 @@ char *curl_escape(const char *string, int length) { - int alloc = (length?length:(int)strlen(string))+1; + size_t alloc = (length?(size_t)length:strlen(string))+1; char *ns = malloc(alloc); char *testing_ptr = NULL; unsigned char in; - int newlen = alloc; + size_t newlen = alloc; int strindex=0; length = alloc-1; @@ -89,7 +89,7 @@ char *curl_unescape(const char *string, int length) char *ns = malloc(alloc); unsigned char in; int strindex=0; - unsigned int hex; + long hex; if( !ns ) { return NULL; @@ -107,7 +107,7 @@ char *curl_unescape(const char *string, int length) hex = strtol(hexstr, &ptr, 16); - in = hex; + in = (unsigned char)hex; /* this long is never bigger than 255 anyway */ string+=2; alloc-=2; } -- cgit v1.2.1 From bbafb2eb27954c34967f91c705e74cc0c186970d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 11 May 2004 11:30:23 +0000 Subject: curl_global_init_mem() allows the memory functions to be replaced. memory.h is included everywhere for this. --- lib/escape.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 23c3821fa..b233600af 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -31,11 +31,10 @@ #include #include #include +#include "memory.h" /* The last #include file should be: */ -#ifdef CURLDEBUG #include "memdebug.h" -#endif char *curl_escape(const char *string, int length) { -- cgit v1.2.1 From c123676825719c3188becfc238ec83251e923867 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 12 May 2004 13:04:30 +0000 Subject: return NULL on out of memory --- lib/escape.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index b233600af..87d3a79e2 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -39,12 +39,16 @@ char *curl_escape(const char *string, int length) { size_t alloc = (length?(size_t)length:strlen(string))+1; - char *ns = malloc(alloc); + char *ns; char *testing_ptr = NULL; unsigned char in; size_t newlen = alloc; int strindex=0; + ns = malloc(alloc); + if(!ns) + return NULL; + length = alloc-1; while(length--) { in = *string; @@ -90,9 +94,8 @@ char *curl_unescape(const char *string, int length) int strindex=0; long hex; - if( !ns ) { + if( !ns ) return NULL; - } while(--alloc > 0) { in = *string; -- cgit v1.2.1 From 5bf02b16a00cf0762b293e6df02f527838d7b5c9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 13 May 2004 15:16:36 +0000 Subject: curl_free() doesn't free(NULL) but just returns --- lib/escape.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 87d3a79e2..600cece7c 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -126,5 +126,6 @@ char *curl_unescape(const char *string, int length) the library's memory system */ void curl_free(void *p) { - free(p); + if(p) + free(p); } -- cgit v1.2.1 From feb2dd283533f842c9b6e4cc2fcc7fd35638d5a0 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 24 Jun 2004 11:54:11 +0000 Subject: Replaced all uses of sprintf() with the safer snprintf(). It is just a precaution to prevent mistakes to lead to buffer overflows. --- lib/escape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 600cece7c..00e2fae6e 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -68,7 +68,7 @@ char *curl_escape(const char *string, int length) ns = testing_ptr; } } - sprintf(&ns[strindex], "%%%02X", in); + snprintf(&ns[strindex], 4, "%%%02X", in); strindex+=3; } -- cgit v1.2.1 From cf10df6c6805c8a4253b83a25997a7a41950f381 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 24 Jun 2004 14:35:45 +0000 Subject: include header for our printfs --- lib/escape.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 00e2fae6e..18444d6a9 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -1,8 +1,8 @@ /*************************************************************************** - * _ _ ____ _ - * Project ___| | | | _ \| | - * / __| | | | |_) | | - * | (__| |_| | _ <| |___ + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * * Copyright (C) 1998 - 2004, Daniel Stenberg, , et al. @@ -10,7 +10,7 @@ * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms * are also available at http://curl.haxx.se/docs/copyright.html. - * + * * You may opt to use, copy, modify, merge, publish, distribute and/or sell * copies of the Software, and permit persons to whom the Software is * furnished to do so, under the terms of the COPYING file. @@ -33,12 +33,15 @@ #include #include "memory.h" +#define _MPRINTF_REPLACE /* use our functions only */ +#include + /* The last #include file should be: */ #include "memdebug.h" char *curl_escape(const char *string, int length) { - size_t alloc = (length?(size_t)length:strlen(string))+1; + size_t alloc = (length?(size_t)length:strlen(string))+1; char *ns; char *testing_ptr = NULL; unsigned char in; @@ -93,10 +96,10 @@ char *curl_unescape(const char *string, int length) unsigned char in; int strindex=0; long hex; - + if( !ns ) return NULL; - + while(--alloc > 0) { in = *string; if(('%' == in) && ishex(string[1]) && ishex(string[2])) { @@ -113,7 +116,7 @@ char *curl_unescape(const char *string, int length) string+=2; alloc-=2; } - + ns[strindex++] = in; string++; } -- cgit v1.2.1 From 090b89cc76acfa0bb388a9eb425dfaa81f62b5ae Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 1 Jul 2004 08:10:21 +0000 Subject: Variable type cleanups to please the picky MIPSPro compiler. --- lib/escape.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 18444d6a9..4466d4cc9 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -39,14 +39,15 @@ /* The last #include file should be: */ #include "memdebug.h" -char *curl_escape(const char *string, int length) +char *curl_escape(const char *string, int inlength) { - size_t alloc = (length?(size_t)length:strlen(string))+1; + size_t alloc = (inlength?(size_t)inlength:strlen(string))+1; char *ns; char *testing_ptr = NULL; unsigned char in; size_t newlen = alloc; int strindex=0; + size_t length; ns = malloc(alloc); if(!ns) -- cgit v1.2.1 From 5a4b43848ac21b3d831f00ce11136e20f820f0a0 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 7 Apr 2006 21:50:47 +0000 Subject: First commit of David McCreedy's EBCDIC and TPF changes. --- lib/escape.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 52 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 4466d4cc9..c569902f6 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2004, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -32,6 +32,9 @@ #include #include #include "memory.h" +/* urldata.h and easyif.h are included for Curl_convert_... prototypes */ +#include "urldata.h" +#include "easyif.h" #define _MPRINTF_REPLACE /* use our functions only */ #include @@ -39,7 +42,19 @@ /* The last #include file should be: */ #include "memdebug.h" +/* for ABI-compatibility with previous versions */ char *curl_escape(const char *string, int inlength) +{ + return curl_easy_escape(NULL, string, inlength); +} + +/* for ABI-compatibility with previous versions */ +char *curl_unescape(const char *string, int length) +{ + return curl_easy_unescape(NULL, string, length, NULL); +} + +char *curl_easy_escape(CURL *handle, const char *string, int inlength) { size_t alloc = (inlength?(size_t)inlength:strlen(string))+1; char *ns; @@ -49,6 +64,10 @@ char *curl_escape(const char *string, int inlength) int strindex=0; size_t length; +#ifndef CURL_DOES_CONVERSIONS + /* avoid compiler warnings */ + (void)handle; +#endif ns = malloc(alloc); if(!ns) return NULL; @@ -72,6 +91,17 @@ char *curl_escape(const char *string, int inlength) ns = testing_ptr; } } + +#ifdef CURL_DOES_CONVERSIONS +/* escape sequences are always in ASCII so convert them on non-ASCII hosts */ + if (!handle || + (Curl_convert_to_network(handle, &in, 1) != CURLE_OK)) { + /* Curl_convert_to_network calls failf if unsuccessful */ + free(ns); + return NULL; + } +#endif /* CURL_DOES_CONVERSIONS */ + snprintf(&ns[strindex], 4, "%%%02X", in); strindex+=3; @@ -90,7 +120,8 @@ char *curl_escape(const char *string, int inlength) (in >= 'A' && in <= 'F') || \ (in >= '0' && in <= '9')) -char *curl_unescape(const char *string, int length) +char *curl_easy_unescape(CURL *handle, const char *string, int length, + int *olen) { int alloc = (length?length:(int)strlen(string))+1; char *ns = malloc(alloc); @@ -98,6 +129,10 @@ char *curl_unescape(const char *string, int length) int strindex=0; long hex; +#ifndef CURL_DOES_CONVERSIONS + /* avoid compiler warnings */ + (void)handle; +#endif if( !ns ) return NULL; @@ -114,6 +149,17 @@ char *curl_unescape(const char *string, int length) hex = strtol(hexstr, &ptr, 16); in = (unsigned char)hex; /* this long is never bigger than 255 anyway */ + +#ifdef CURL_DOES_CONVERSIONS +/* escape sequences are always in ASCII so convert them on non-ASCII hosts */ + if (!handle || + (Curl_convert_from_network(handle, &in, 1) != CURLE_OK)) { + /* Curl_convert_from_network calls failf if unsuccessful */ + free(ns); + return NULL; + } +#endif /* CURL_DOES_CONVERSIONS */ + string+=2; alloc-=2; } @@ -122,6 +168,10 @@ char *curl_unescape(const char *string, int length) string++; } ns[strindex]=0; /* terminate it */ + + if(olen) + /* store output size */ + *olen = strindex; return ns; } -- cgit v1.2.1 From 44d84ac1646cf04ccc2c1a736f3c9d1644ccacec Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 17 Oct 2006 21:32:56 +0000 Subject: Avoid typecasting a signed char to an int when using is*() functions, as that could very well cause a negate number get passed in and thus cause reading outside of the array usually used for this purpose. We avoid this by using the uppercase macro versions introduced just now that does some extra crazy typecasts to avoid byte codes > 127 to cause negative int values. --- lib/escape.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index c569902f6..9552b0f31 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -116,10 +116,6 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) return ns; } -#define ishex(in) ((in >= 'a' && in <= 'f') || \ - (in >= 'A' && in <= 'F') || \ - (in >= '0' && in <= '9')) - char *curl_easy_unescape(CURL *handle, const char *string, int length, int *olen) { @@ -138,7 +134,7 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, while(--alloc > 0) { in = *string; - if(('%' == in) && ishex(string[1]) && ishex(string[2])) { + if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { /* this is two hexadecimal digits following a '%' */ char hexstr[3]; char *ptr; -- cgit v1.2.1 From 1926f4573d43f35f33b524d120e847ea819cc7c7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 4 Aug 2007 20:47:59 +0000 Subject: Patrick Monnerat fixed curl_easy_escape() and curlx_strtoll() to work on non-ASCII systems. --- lib/escape.c | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 9552b0f31..06ac04d71 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -75,9 +75,27 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) length = alloc-1; while(length--) { in = *string; - if(!(in >= 'a' && in <= 'z') && - !(in >= 'A' && in <= 'Z') && - !(in >= '0' && in <= '9')) { + + /* Portable character check (remember EBCDIC). Do not use isalnum() because + its behavior is altered by the current locale. */ + + switch (in) { + case '0': case '1': case '2': case '3': case '4': + case '5': case '6': case '7': case '8': case '9': + case 'a': case 'b': case 'c': case 'd': case 'e': + case 'f': case 'g': case 'h': case 'i': case 'j': + case 'k': case 'l': case 'm': case 'n': case 'o': + case 'p': case 'q': case 'r': case 's': case 't': + case 'u': case 'v': case 'w': case 'x': case 'y': case 'z': + case 'A': case 'B': case 'C': case 'D': case 'E': + case 'F': case 'G': case 'H': case 'I': case 'J': + case 'K': case 'L': case 'M': case 'N': case 'O': + case 'P': case 'Q': case 'R': case 'S': case 'T': + case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z': + /* just copy this */ + ns[strindex++]=in; + break; + default: /* encode it */ newlen += 2; /* the size grows with two, since this'll become a %XX */ if(newlen > alloc) { @@ -105,10 +123,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) snprintf(&ns[strindex], 4, "%%%02X", in); strindex+=3; - } - else { - /* just copy this */ - ns[strindex++]=in; + break; } string++; } -- cgit v1.2.1 From 523767660c05cf359091694fcaccb763ebb7b2d7 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Sun, 26 Aug 2007 05:53:26 +0000 Subject: Fixed some minor mismatched types found by splint. --- lib/escape.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 06ac04d71..fd08451de 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -59,7 +59,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) size_t alloc = (inlength?(size_t)inlength:strlen(string))+1; char *ns; char *testing_ptr = NULL; - unsigned char in; + char in; size_t newlen = alloc; int strindex=0; size_t length; -- cgit v1.2.1 From ec08e2f9f24da5974be1ab222c5703fd9fb3722f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 30 Sep 2007 22:40:24 +0000 Subject: Alex Fishman reported a curl_easy_escape() problem that was made the function do wrong on all input bytes that are >= 0x80 (decimal 128) due to a signed / unsigned mistake in the code. I fixed it and added test case 543 to verify. --- lib/escape.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index fd08451de..ec9883f11 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2007, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -59,7 +59,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) size_t alloc = (inlength?(size_t)inlength:strlen(string))+1; char *ns; char *testing_ptr = NULL; - char in; + unsigned char in; /* we need to treat the characters unsigned */ size_t newlen = alloc; int strindex=0; size_t length; -- cgit v1.2.1 From cbd1a77ec24e397d05f20c6de106625676343c9d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 7 Nov 2007 09:21:35 +0000 Subject: if () => if() while () => while() and some other minor re-indentings --- lib/escape.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index ec9883f11..d44bf3cd9 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -112,7 +112,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) #ifdef CURL_DOES_CONVERSIONS /* escape sequences are always in ASCII so convert them on non-ASCII hosts */ - if (!handle || + if(!handle || (Curl_convert_to_network(handle, &in, 1) != CURLE_OK)) { /* Curl_convert_to_network calls failf if unsuccessful */ free(ns); @@ -163,7 +163,7 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, #ifdef CURL_DOES_CONVERSIONS /* escape sequences are always in ASCII so convert them on non-ASCII hosts */ - if (!handle || + if(!handle || (Curl_convert_from_network(handle, &in, 1) != CURLE_OK)) { /* Curl_convert_from_network calls failf if unsuccessful */ free(ns); -- cgit v1.2.1 From c98ab69cc7aae688db604bbaad5bcc8d3fe25cba Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Tue, 9 Sep 2008 21:15:50 +0000 Subject: Factored out Curl_isalnum --- lib/escape.c | 47 +++++++++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 20 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index d44bf3cd9..24134c8e8 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -42,6 +42,30 @@ /* The last #include file should be: */ #include "memdebug.h" +/* Portable character check (remember EBCDIC). Do not use isalnum() because +its behavior is altered by the current locale. */ +static bool Curl_isalnum(unsigned char in) +{ + switch (in) { + case '0': case '1': case '2': case '3': case '4': + case '5': case '6': case '7': case '8': case '9': + case 'a': case 'b': case 'c': case 'd': case 'e': + case 'f': case 'g': case 'h': case 'i': case 'j': + case 'k': case 'l': case 'm': case 'n': case 'o': + case 'p': case 'q': case 'r': case 's': case 't': + case 'u': case 'v': case 'w': case 'x': case 'y': case 'z': + case 'A': case 'B': case 'C': case 'D': case 'E': + case 'F': case 'G': case 'H': case 'I': case 'J': + case 'K': case 'L': case 'M': case 'N': case 'O': + case 'P': case 'Q': case 'R': case 'S': case 'T': + case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z': + return TRUE; + default: + break; + } + return FALSE; +} + /* for ABI-compatibility with previous versions */ char *curl_escape(const char *string, int inlength) { @@ -76,26 +100,10 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) while(length--) { in = *string; - /* Portable character check (remember EBCDIC). Do not use isalnum() because - its behavior is altered by the current locale. */ - - switch (in) { - case '0': case '1': case '2': case '3': case '4': - case '5': case '6': case '7': case '8': case '9': - case 'a': case 'b': case 'c': case 'd': case 'e': - case 'f': case 'g': case 'h': case 'i': case 'j': - case 'k': case 'l': case 'm': case 'n': case 'o': - case 'p': case 'q': case 'r': case 's': case 't': - case 'u': case 'v': case 'w': case 'x': case 'y': case 'z': - case 'A': case 'B': case 'C': case 'D': case 'E': - case 'F': case 'G': case 'H': case 'I': case 'J': - case 'K': case 'L': case 'M': case 'N': case 'O': - case 'P': case 'Q': case 'R': case 'S': case 'T': - case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z': + if (Curl_isalnum(in)) { /* just copy this */ ns[strindex++]=in; - break; - default: + } else { /* encode it */ newlen += 2; /* the size grows with two, since this'll become a %XX */ if(newlen > alloc) { @@ -123,7 +131,6 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) snprintf(&ns[strindex], 4, "%%%02X", in); strindex+=3; - break; } string++; } @@ -187,7 +194,7 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, } /* For operating systems/environments that use different malloc/free - ssystems for the app and for this library, we provide a free that uses + systems for the app and for this library, we provide a free that uses the library's memory system */ void curl_free(void *p) { -- cgit v1.2.1 From 95456b8e78d3dcee0c1d79760bcb2dfcb0d7db09 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Wed, 8 Oct 2008 01:17:51 +0000 Subject: Added const to some pointer variables --- lib/escape.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 24134c8e8..626581819 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -138,6 +138,12 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) return ns; } +/* + * Unescapes the given URL escaped string of given length. Returns a + * pointer to a malloced string with length given in *olen. + * If length == 0, the length is assumed to be strlen(string). + * If olen == NULL, no output length is stored. + */ char *curl_easy_unescape(CURL *handle, const char *string, int length, int *olen) { -- cgit v1.2.1 From 33a3753c3f41d546ebf3350685eb7201d25783f4 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Tue, 21 Apr 2009 11:46:16 +0000 Subject: libcurl's memory.h renamed to curl_memory.h --- lib/escape.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 626581819..838100e38 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2007, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -31,7 +31,7 @@ #include #include #include -#include "memory.h" +#include "curl_memory.h" /* urldata.h and easyif.h are included for Curl_convert_... prototypes */ #include "urldata.h" #include "easyif.h" -- cgit v1.2.1 From 33ce0ec1f1951bc1a8f4d475381c1b7c95d4a03a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 22 Jan 2010 23:21:39 +0000 Subject: wrap long lines and do some indent policing --- lib/escape.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 838100e38..3164f908a 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -103,7 +103,8 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) if (Curl_isalnum(in)) { /* just copy this */ ns[strindex++]=in; - } else { + } + else { /* encode it */ newlen += 2; /* the size grows with two, since this'll become a %XX */ if(newlen > alloc) { -- cgit v1.2.1 From 5695c4db861e3c3f200005ae428c89cd3ad6ccdb Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Wed, 24 Feb 2010 00:03:06 +0000 Subject: fix compiler warning --- lib/escape.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 3164f908a..e28e02099 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -35,6 +35,7 @@ /* urldata.h and easyif.h are included for Curl_convert_... prototypes */ #include "urldata.h" #include "easyif.h" +#include "warnless.h" #define _MPRINTF_REPLACE /* use our functions only */ #include @@ -152,7 +153,7 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, char *ns = malloc(alloc); unsigned char in; int strindex=0; - long hex; + unsigned long hex; #ifndef CURL_DOES_CONVERSIONS /* avoid compiler warnings */ @@ -171,9 +172,9 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, hexstr[1] = string[2]; hexstr[2] = 0; - hex = strtol(hexstr, &ptr, 16); + hex = strtoul(hexstr, &ptr, 16); - in = (unsigned char)hex; /* this long is never bigger than 255 anyway */ + in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ #ifdef CURL_DOES_CONVERSIONS /* escape sequences are always in ASCII so convert them on non-ASCII hosts */ -- cgit v1.2.1 From 2309b4e330b96bc2e1f8e36b6184015e59544037 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 24 Mar 2010 11:02:54 +0100 Subject: remove the CVSish $Id$ lines --- lib/escape.c | 1 - 1 file changed, 1 deletion(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index e28e02099..37d21e799 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -18,7 +18,6 @@ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY * KIND, either express or implied. * - * $Id$ ***************************************************************************/ /* Escape and unescape URL encoding in strings. The functions return a new -- cgit v1.2.1 From 5df13c31735fa089d5344fde13b66ace1ea473d1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 28 Sep 2010 23:46:14 +0200 Subject: curl_easy_escape: don't escape "unreserved" characters According to RFC3986 section 2.3 the letters -, ., _ and ~ should not be percent-encoded. Reported by: Miguel Diaz Bug: http://curl.haxx.se/mail/lib-2010-09/0227.html --- lib/escape.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 37d21e799..735e1d8a7 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -43,8 +43,10 @@ #include "memdebug.h" /* Portable character check (remember EBCDIC). Do not use isalnum() because -its behavior is altered by the current locale. */ -static bool Curl_isalnum(unsigned char in) + its behavior is altered by the current locale. + See http://tools.ietf.org/html/rfc3986#section-2.3 +*/ +static bool Curl_isunreserved(unsigned char in) { switch (in) { case '0': case '1': case '2': case '3': case '4': @@ -59,6 +61,7 @@ static bool Curl_isalnum(unsigned char in) case 'K': case 'L': case 'M': case 'N': case 'O': case 'P': case 'Q': case 'R': case 'S': case 'T': case 'U': case 'V': case 'W': case 'X': case 'Y': case 'Z': + case '-': case '.': case '_': case '~': return TRUE; default: break; @@ -100,7 +103,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) while(length--) { in = *string; - if (Curl_isalnum(in)) { + if (Curl_isunreserved(in)) { /* just copy this */ ns[strindex++]=in; } -- cgit v1.2.1 From c828646f60b5bffb2bfcf924eba36da767bf08bf Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 20 Apr 2011 00:48:20 +0200 Subject: CURL_DOES_CONVERSIONS: cleanup Massively reduce #ifdefs all over (23 #ifdef lines less so far) Moved conversion-specific code to non-ascii.c --- lib/escape.c | 27 +++++---------------------- 1 file changed, 5 insertions(+), 22 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 735e1d8a7..4e8dd6e4c 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -31,10 +31,9 @@ #include #include #include "curl_memory.h" -/* urldata.h and easyif.h are included for Curl_convert_... prototypes */ #include "urldata.h" -#include "easyif.h" #include "warnless.h" +#include "non-ascii.h" #define _MPRINTF_REPLACE /* use our functions only */ #include @@ -91,10 +90,6 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) int strindex=0; size_t length; -#ifndef CURL_DOES_CONVERSIONS - /* avoid compiler warnings */ - (void)handle; -#endif ns = malloc(alloc); if(!ns) return NULL; @@ -122,15 +117,11 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) } } -#ifdef CURL_DOES_CONVERSIONS -/* escape sequences are always in ASCII so convert them on non-ASCII hosts */ - if(!handle || - (Curl_convert_to_network(handle, &in, 1) != CURLE_OK)) { + if(Curl_convert_to_network(handle, &in, 1)) { /* Curl_convert_to_network calls failf if unsuccessful */ free(ns); return NULL; } -#endif /* CURL_DOES_CONVERSIONS */ snprintf(&ns[strindex], 4, "%%%02X", in); @@ -157,11 +148,7 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, int strindex=0; unsigned long hex; -#ifndef CURL_DOES_CONVERSIONS - /* avoid compiler warnings */ - (void)handle; -#endif - if( !ns ) + if(!ns) return NULL; while(--alloc > 0) { @@ -178,15 +165,11 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ -#ifdef CURL_DOES_CONVERSIONS -/* escape sequences are always in ASCII so convert them on non-ASCII hosts */ - if(!handle || - (Curl_convert_from_network(handle, &in, 1) != CURLE_OK)) { + if(Curl_convert_from_network(handle, &in, 1)) { /* Curl_convert_from_network calls failf if unsuccessful */ free(ns); return NULL; } -#endif /* CURL_DOES_CONVERSIONS */ string+=2; alloc-=2; -- cgit v1.2.1 From b903186fa0189ff241d756d25d07fdfe9885ae49 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 20 Apr 2011 15:17:42 +0200 Subject: source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed. --- lib/escape.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 4e8dd6e4c..50d310a1a 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -98,10 +98,9 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) while(length--) { in = *string; - if (Curl_isunreserved(in)) { + if(Curl_isunreserved(in)) /* just copy this */ ns[strindex++]=in; - } else { /* encode it */ newlen += 2; /* the size grows with two, since this'll become a %XX */ -- cgit v1.2.1 From 30c9799f72f3275f806a296e1100ad04c942706c Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Mon, 23 May 2011 16:55:09 +0200 Subject: compiler warning: fix Fix compiler warning: expression has no effect --- lib/escape.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 50d310a1a..5500a92bf 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -89,6 +89,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) size_t newlen = alloc; int strindex=0; size_t length; + CURLcode res; ns = malloc(alloc); if(!ns) @@ -116,7 +117,8 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) } } - if(Curl_convert_to_network(handle, &in, 1)) { + res = Curl_convert_to_network(handle, &in, 1); + if(res) { /* Curl_convert_to_network calls failf if unsuccessful */ free(ns); return NULL; @@ -146,6 +148,7 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, unsigned char in; int strindex=0; unsigned long hex; + CURLcode res; if(!ns) return NULL; @@ -164,7 +167,8 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ - if(Curl_convert_from_network(handle, &in, 1)) { + res = Curl_convert_from_network(handle, &in, 1); + if(res) { /* Curl_convert_from_network calls failf if unsuccessful */ free(ns); return NULL; -- cgit v1.2.1 From f1586cb4775681810afd8e6626e7842d459f3b85 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Tue, 26 Jul 2011 17:23:27 +0200 Subject: stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.h --- lib/escape.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index 5500a92bf..b0922bc93 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -24,12 +24,9 @@ * allocated string or NULL if an error occurred. */ #include "setup.h" -#include + #include -#include -#include -#include #include "curl_memory.h" #include "urldata.h" #include "warnless.h" -- cgit v1.2.1 From 75ca568fa1c19de4c5358fed246686de8467c238 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 23 Dec 2011 13:24:16 +0100 Subject: URL sanitize: reject URLs containing bad data Protocols (IMAP, POP3 and SMTP) that use the path part of a URL in a decoded manner now use the new Curl_urldecode() function to reject URLs with embedded control codes (anything that is or decodes to a byte value less than 32). URLs containing such codes could easily otherwise be used to do harm and allow users to do unintended actions with otherwise innocent tools and applications. Like for example using a URL like pop3://pop3.example.com/1%0d%0aDELE%201 when the app wants a URL to get a mail and instead this would delete one. This flaw is considered a security vulnerability: CVE-2012-0036 Security advisory at: http://curl.haxx.se/docs/adv_20120124.html Reported by: Dan Fandrich --- lib/escape.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 50 insertions(+), 13 deletions(-) (limited to 'lib/escape.c') diff --git a/lib/escape.c b/lib/escape.c index b0922bc93..0dd5a1d0a 100644 --- a/lib/escape.c +++ b/lib/escape.c @@ -31,6 +31,7 @@ #include "urldata.h" #include "warnless.h" #include "non-ascii.h" +#include "escape.h" #define _MPRINTF_REPLACE /* use our functions only */ #include @@ -84,7 +85,7 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) char *testing_ptr = NULL; unsigned char in; /* we need to treat the characters unsigned */ size_t newlen = alloc; - int strindex=0; + size_t strindex=0; size_t length; CURLcode res; @@ -132,23 +133,29 @@ char *curl_easy_escape(CURL *handle, const char *string, int inlength) } /* - * Unescapes the given URL escaped string of given length. Returns a - * pointer to a malloced string with length given in *olen. - * If length == 0, the length is assumed to be strlen(string). - * If olen == NULL, no output length is stored. + * Curl_urldecode() URL decodes the given string. + * + * Optionally detects control characters (byte codes lower than 32) in the + * data and rejects such data. + * + * Returns a pointer to a malloced string in *ostring with length given in + * *olen. If length == 0, the length is assumed to be strlen(string). + * */ -char *curl_easy_unescape(CURL *handle, const char *string, int length, - int *olen) +CURLcode Curl_urldecode(struct SessionHandle *data, + const char *string, size_t length, + char **ostring, size_t *olen, + bool reject_ctrl) { - int alloc = (length?length:(int)strlen(string))+1; + size_t alloc = (length?length:strlen(string))+1; char *ns = malloc(alloc); unsigned char in; - int strindex=0; + size_t strindex=0; unsigned long hex; CURLcode res; if(!ns) - return NULL; + return CURLE_OUT_OF_MEMORY; while(--alloc > 0) { in = *string; @@ -164,16 +171,20 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, in = curlx_ultouc(hex); /* this long is never bigger than 255 anyway */ - res = Curl_convert_from_network(handle, &in, 1); + res = Curl_convert_from_network(data, &in, 1); if(res) { /* Curl_convert_from_network calls failf if unsuccessful */ free(ns); - return NULL; + return res; } string+=2; alloc-=2; } + if(reject_ctrl && (in < 0x20)) { + free(ns); + return CURLE_URL_MALFORMAT; + } ns[strindex++] = in; string++; @@ -183,7 +194,33 @@ char *curl_easy_unescape(CURL *handle, const char *string, int length, if(olen) /* store output size */ *olen = strindex; - return ns; + + if(ostring) + /* store output string */ + *ostring = ns; + + return CURLE_OK; +} + +/* + * Unescapes the given URL escaped string of given length. Returns a + * pointer to a malloced string with length given in *olen. + * If length == 0, the length is assumed to be strlen(string). + * If olen == NULL, no output length is stored. + */ +char *curl_easy_unescape(CURL *handle, const char *string, int length, + int *olen) +{ + char *str = NULL; + size_t inputlen = length; + size_t outputlen; + CURLcode res = Curl_urldecode(handle, string, inputlen, &str, &outputlen, + FALSE); + if(res) + return NULL; + if(olen) + *olen = curlx_uztosi(outputlen); + return str; } /* For operating systems/environments that use different malloc/free -- cgit v1.2.1