equal
deleted
inserted
replaced
|
1 From 4e2ac2afa94f014a2a015c48c678e2367a63ae82 Mon Sep 17 00:00:00 2001 |
|
2 From: Daniel Stenberg <[email protected]> |
|
3 Date: Thu, 25 Dec 2014 23:55:03 +0100 |
|
4 Subject: [PATCH] url-parsing: reject CRLFs within URLs |
|
5 |
|
6 Bug: http://curl.haxx.se/docs/adv_20150108B.html |
|
7 Reported-by: Andrey Labunets |
|
8 --- |
|
9 lib/url.c | 7 +++++++ |
|
10 1 file changed, 7 insertions(+) |
|
11 |
|
12 This fix is already available upstream in curl version 7.40.0 |
|
13 |
|
14 --- lib/url.c.orig 2015-01-05 17:02:35.129777364 -0800 |
|
15 +++ lib/url.c 2015-01-05 17:03:35.687969097 -0800 |
|
16 @@ -3807,6 +3807,13 @@ |
|
17 |
|
18 *prot_missing = FALSE; |
|
19 |
|
20 + /* We might pass the entire URL into the request so we need to make sure |
|
21 + * there are no bad characters in there.*/ |
|
22 + if(strpbrk(data->change.url, "\r\n")) { |
|
23 + failf(data, "Illegal characters found in URL"); |
|
24 + return CURLE_URL_MALFORMAT; |
|
25 + } |
|
26 + |
|
27 /************************************************************* |
|
28 * Parse the URL. |
|
29 * |