moparisthebest/curl
1
0
Fork 0
mirror of https://github.com/moparisthebest/curl synced 2024-08-13 17:03:50 -04:00
Code Issues Releases Wiki Activity

url-parsing: reject CRLFs within URLs

Browse Source 
Bug: http://curl.haxx.se/docs/adv_20150108B.html
Reported-by: Andrey Labunets
This commit is contained in:
Daniel Stenberg 2014-12-25 23:55:03 +01:00
parent f7d5ecec9c
commit 178bd7db34
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lib/url.c
View File

@ -3842,6 +3842,13 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
*prot_missing = FALSE; *prot_missing = FALSE;
/* We might pass the entire URL into the request so we need to make sure
* there are no bad characters in there.*/
if(strpbrk(data->change.url, "\r\n")) {
failf(data, "Illegal characters found in URL");
return CURLE_URL_MALFORMAT;
}
/************************************************************* /*************************************************************
* Parse the URL. * Parse the URL.
* *