urlapi: reject percent-decoding host name into separator bytes

author Daniel Stenberg <daniel@haxx.se>

Mon, 9 May 2022 06:19:38 +0000 (08:19 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Mon, 9 May 2022 10:50:34 +0000 (12:50 +0200)
author Daniel Stenberg <daniel@haxx.se>
Mon, 9 May 2022 06:19:38 +0000 (08:19 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Mon, 9 May 2022 10:50:34 +0000 (12:50 +0200)
diff --git a/lib/urlapi.c b/lib/urlapi.c

index 479596acd1d5ca4d6731482758242c8973141c13..2a36de6a58f2b73f56f16431eab50211063516cd 100644 (file)
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
  #endif
    }
    else {
-    /* letters from the second string is not ok */
-    len = strcspn(hostname, " \r\n");
+    /* letters from the second string are not ok */
+    len = strcspn(hostname, " \r\n\t/:#?!@");
      if(hlen != len)
        /* hostname with bad content */
        return CURLUE_BAD_HOSTNAME;
author	Daniel Stenberg <daniel@haxx.se>
	Mon, 9 May 2022 06:19:38 +0000 (08:19 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Mon, 9 May 2022 10:50:34 +0000 (12:50 +0200)