urlapi: reject more bad letters from the host name: &+()

author Daniel Stenberg <daniel@haxx.se>

Wed, 14 Dec 2022 22:41:08 +0000 (23:41 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Thu, 15 Dec 2022 07:23:48 +0000 (08:23 +0100)
author Daniel Stenberg <daniel@haxx.se>
Wed, 14 Dec 2022 22:41:08 +0000 (23:41 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Thu, 15 Dec 2022 07:23:48 +0000 (08:23 +0100)
diff --git a/lib/urlapi.c b/lib/urlapi.c

index 7dac81c85c8c15d64b08dccbc0b6aea82fcda1a8..b96af35ad2d42808501d3843c10aec5e330fc767 100644 (file)
--- a/lib/urlapi.c
+++ b/lib/urlapi.c
@@ -636,7 +636,7 @@ static CURLUcode hostname_check(struct Curl_URL *u, char *hostname,
    }
    else {
      /* letters from the second string are not ok */
-    len = strcspn(hostname, " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,");
+    len = strcspn(hostname, " \r\n\t/:#?!@{}[]\\$\'\"^`*<>=;,+&()");
      if(hlen != len)
        /* hostname with bad content */
        return CURLUE_BAD_HOSTNAME;
diff --git a/tests/libtest/lib1560.c b/tests/libtest/lib1560.c

index 42300cfd7d622814ddb8a78a271ef46e3526e464..f27864c8db5f154e0ee45bd1ec48e836c8d14f46 100644 (file)
--- a/tests/libtest/lib1560.c
+++ b/tests/libtest/lib1560.c
@@ -160,6 +160,10 @@ static const struct testcase get_parts_list[] ={
    {"https://exam=ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
    {"https://exam;ple.net", "", 0, 0, CURLUE_BAD_HOSTNAME},
    {"https://example,net", "", 0, 0, CURLUE_BAD_HOSTNAME},
+  {"https://example&net", "", 0, 0, CURLUE_BAD_HOSTNAME},
+  {"https://example+net", "", 0, 0, CURLUE_BAD_HOSTNAME},
+  {"https://example(net", "", 0, 0, CURLUE_BAD_HOSTNAME},
+  {"https://example)net", "", 0, 0, CURLUE_BAD_HOSTNAME},
    {"https://example.net/}",
     "https | [11] | [12] | [13] | example.net | [15] | /} | [16] | [17]",
     0, 0, CURLUE_OK},
@@ -466,8 +470,8 @@ static const struct urltestcase get_url_list[] = {
    {"https://0xff.0xff.0377.255", "https://255.255.255.255/", 0, 0, CURLUE_OK},
    {"https://1.0xffffff", "https://1.255.255.255/", 0, 0, CURLUE_OK},
    /* IPv4 numerical overflows or syntax errors will not normalize */
-  {"https://+127.0.0.1", "https://+127.0.0.1/", 0, 0, CURLUE_OK},
-  {"https://+127.0.0.1", "https://%2B127.0.0.1/", 0, CURLU_URLENCODE,
+  {"https://a127.0.0.1", "https://a127.0.0.1/", 0, 0, CURLUE_OK},
+  {"https://\xff.127.0.0.1", "https://%FF.127.0.0.1/", 0, CURLU_URLENCODE,
     CURLUE_OK},
    {"https://127.-0.0.1", "https://127.-0.0.1/", 0, 0, CURLUE_OK},
    {"https://127.0. 1", "https://127.0.0.1/", 0, 0, CURLUE_BAD_HOSTNAME},
@@ -632,9 +636,9 @@ static int checkurl(const char *url, const char *out)
  /* !checksrc! disable SPACEBEFORECOMMA 1 */
  static const struct setcase set_parts_list[] = {
    {"https://example.com/",
-   "host=++,", /* '++' there's no automatic URL decode when settin this
+   "host=0xff,", /* '++' there's no automatic URL decode when settin this
                    part */
-   "https://++/",
+   "https://0xff/",
     0, /* get */
     0, /* set */
     CURLUE_OK, CURLUE_OK},
author	Daniel Stenberg <daniel@haxx.se>
	Wed, 14 Dec 2022 22:41:08 +0000 (23:41 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Thu, 15 Dec 2022 07:23:48 +0000 (08:23 +0100)
lib/urlapi.c		patch \| blob \| blame \| history
tests/libtest/lib1560.c		patch \| blob \| blame \| history