From: Daniel Stenberg Date: Thu, 8 Jun 2023 11:40:52 +0000 (+0200) Subject: curl_url_set: enforce the max string length check for all parts X-Git-Tag: curl-8_2_0~129 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dacd25888fa7b2d7bb3d16672b986a69088ed292;p=thirdparty%2Fcurl.git curl_url_set: enforce the max string length check for all parts Update the docs and test 1559 accordingly Closes #11273 --- diff --git a/docs/libcurl/curl_url_set.3 b/docs/libcurl/curl_url_set.3 index 435818e8bf..cffe745e82 100644 --- a/docs/libcurl/curl_url_set.3 +++ b/docs/libcurl/curl_url_set.3 @@ -188,9 +188,8 @@ Returns a \fICURLUcode\fP error value, which is CURLUE_OK (0) if everything went fine. See the \fIlibcurl-errors(3)\fP man page for the full list with descriptions. -A URL string passed on to \fIcurl_url_set(3)\fP for the \fBCURLUPART_URL\fP -part, must be shorter than 8000000 bytes otherwise it returns -\fBCURLUE_MALFORMED_INPUT\fP (added in 7.65.0). +The input string passed to \fIcurl_url_set(3)\fP must be shorter than eight +million bytes. Otherwise this function returns \fBCURLUE_MALFORMED_INPUT\fP. If this function returns an error, no URL part is set. .SH "SEE ALSO" diff --git a/lib/urlapi.c b/lib/urlapi.c index 7b2498c40e..e0c547605a 100644 --- a/lib/urlapi.c +++ b/lib/urlapi.c @@ -1642,6 +1642,7 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, bool leadingslash = FALSE; bool appendquery = FALSE; bool equalsencode = FALSE; + size_t nalloc; if(!u) return CURLUE_BAD_HANDLE; @@ -1694,6 +1695,11 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, return CURLUE_OK; } + nalloc = strlen(part); + if(nalloc > CURL_MAX_INPUT_LENGTH) + /* excessive input length */ + return CURLUE_MALFORMED_INPUT; + switch(what) { case CURLUPART_SCHEME: { size_t plen = strlen(part); @@ -1800,14 +1806,8 @@ CURLUcode curl_url_set(CURLU *u, CURLUPart what, } DEBUGASSERT(storep); { - const char *newp = part; - size_t nalloc = strlen(part); + const char *newp; struct dynbuf enc; - - if(nalloc > CURL_MAX_INPUT_LENGTH) - /* excessive input length */ - return CURLUE_MALFORMED_INPUT; - Curl_dyn_init(&enc, nalloc * 3 + 1 + leadingslash); if(leadingslash && (part[0] != '/')) { diff --git a/tests/data/test1559 b/tests/data/test1559 index 863a89e5ab..c307f6447e 100644 --- a/tests/data/test1559 +++ b/tests/data/test1559 @@ -37,7 +37,7 @@ Set excessive URL lengths CURLOPT_URL 10000000 bytes URL == 43 CURLOPT_POSTFIELDS 10000000 bytes data == 0 CURLUPART_URL 10000000 bytes URL == 3 (Malformed input to a URL function) -CURLUPART_SCHEME 10000000 bytes scheme == 27 (Bad scheme) +CURLUPART_SCHEME 10000000 bytes scheme == 3 (Malformed input to a URL function) CURLUPART_USER 10000000 bytes user == 3 (Malformed input to a URL function)