From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 9 May 2022 06:19:38 +0000 (+0200)
Subject: urlapi: reject percent-decoding host name into separator bytes
X-Git-Tag: curl-7_83_1~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=914aaab9153764ef8fa4178215b8ad89d3ac263a;p=thirdparty%2Fcurl.git

urlapi: reject percent-decoding host name into separator bytes

CVE-2022-27780

Reported-by: Axel Chong
Bug: https://curl.se/docs/CVE-2022-27780.html
Closes #8826
---

diff --git a/lib/urlapi.c b/lib/urlapi.c
index 479596acd1..2a36de6a58 100644
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -678,8 +678,8 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname)
 #endif
   }
   else {
-    /* letters from the second string is not ok */
-    len = strcspn(hostname, " \r\n");
+    /* letters from the second string are not ok */
+    len = strcspn(hostname, " \r\n\t/:#?!@");
     if(hlen != len)
       /* hostname with bad content */
       return CURLUE_BAD_HOSTNAME;