mirror of
https://github.com/moparisthebest/curl
synced 2024-12-23 16:48:49 -05:00
url: allow user + password to contain "control codes" for HTTP(S)
Reported-by: Jon Johnson Jr Fixes #5582 Closes #5592
This commit is contained in:
parent
31e53584db
commit
d5ed571948
@ -125,7 +125,8 @@ const struct Curl_handler Curl_handler_http = {
|
|||||||
ZERO_NULL, /* connection_check */
|
ZERO_NULL, /* connection_check */
|
||||||
PORT_HTTP, /* defport */
|
PORT_HTTP, /* defport */
|
||||||
CURLPROTO_HTTP, /* protocol */
|
CURLPROTO_HTTP, /* protocol */
|
||||||
PROTOPT_CREDSPERREQUEST /* flags */
|
PROTOPT_CREDSPERREQUEST | /* flags */
|
||||||
|
PROTOPT_USERPWDCTRL
|
||||||
};
|
};
|
||||||
|
|
||||||
#ifdef USE_SSL
|
#ifdef USE_SSL
|
||||||
@ -150,7 +151,8 @@ const struct Curl_handler Curl_handler_https = {
|
|||||||
ZERO_NULL, /* connection_check */
|
ZERO_NULL, /* connection_check */
|
||||||
PORT_HTTPS, /* defport */
|
PORT_HTTPS, /* defport */
|
||||||
CURLPROTO_HTTPS, /* protocol */
|
CURLPROTO_HTTPS, /* protocol */
|
||||||
PROTOPT_SSL | PROTOPT_CREDSPERREQUEST | PROTOPT_ALPN_NPN /* flags */
|
PROTOPT_SSL | PROTOPT_CREDSPERREQUEST | PROTOPT_ALPN_NPN | /* flags */
|
||||||
|
PROTOPT_USERPWDCTRL
|
||||||
};
|
};
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
29
lib/url.c
29
lib/url.c
@ -1894,23 +1894,32 @@ static CURLcode parseurlandfillconn(struct Curl_easy *data,
|
|||||||
if(result)
|
if(result)
|
||||||
return result;
|
return result;
|
||||||
|
|
||||||
uc = curl_url_get(uh, CURLUPART_USER, &data->state.up.user,
|
/* we don't use the URL API's URL decoder option here since it rejects
|
||||||
CURLU_URLDECODE);
|
control codes and we want to allow them for some schemes in the user and
|
||||||
|
password fields */
|
||||||
|
uc = curl_url_get(uh, CURLUPART_USER, &data->state.up.user, 0);
|
||||||
if(!uc) {
|
if(!uc) {
|
||||||
conn->user = strdup(data->state.up.user);
|
char *decoded;
|
||||||
if(!conn->user)
|
result = Curl_urldecode(NULL, data->state.up.user, 0, &decoded, NULL,
|
||||||
return CURLE_OUT_OF_MEMORY;
|
conn->handler->flags&PROTOPT_USERPWDCTRL ?
|
||||||
|
REJECT_ZERO : REJECT_CTRL);
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
conn->user = decoded;
|
||||||
conn->bits.user_passwd = TRUE;
|
conn->bits.user_passwd = TRUE;
|
||||||
}
|
}
|
||||||
else if(uc != CURLUE_NO_USER)
|
else if(uc != CURLUE_NO_USER)
|
||||||
return Curl_uc_to_curlcode(uc);
|
return Curl_uc_to_curlcode(uc);
|
||||||
|
|
||||||
uc = curl_url_get(uh, CURLUPART_PASSWORD, &data->state.up.password,
|
uc = curl_url_get(uh, CURLUPART_PASSWORD, &data->state.up.password, 0);
|
||||||
CURLU_URLDECODE);
|
|
||||||
if(!uc) {
|
if(!uc) {
|
||||||
conn->passwd = strdup(data->state.up.password);
|
char *decoded;
|
||||||
if(!conn->passwd)
|
result = Curl_urldecode(NULL, data->state.up.password, 0, &decoded, NULL,
|
||||||
return CURLE_OUT_OF_MEMORY;
|
conn->handler->flags&PROTOPT_USERPWDCTRL ?
|
||||||
|
REJECT_ZERO : REJECT_CTRL);
|
||||||
|
if(result)
|
||||||
|
return result;
|
||||||
|
conn->passwd = decoded;
|
||||||
conn->bits.user_passwd = TRUE;
|
conn->bits.user_passwd = TRUE;
|
||||||
}
|
}
|
||||||
else if(uc != CURLUE_NO_PASSWORD)
|
else if(uc != CURLUE_NO_PASSWORD)
|
||||||
|
@ -766,6 +766,8 @@ struct Curl_handler {
|
|||||||
HTTP proxy as HTTP proxies may know
|
HTTP proxy as HTTP proxies may know
|
||||||
this protocol and act as a gateway */
|
this protocol and act as a gateway */
|
||||||
#define PROTOPT_WILDCARD (1<<12) /* protocol supports wildcard matching */
|
#define PROTOPT_WILDCARD (1<<12) /* protocol supports wildcard matching */
|
||||||
|
#define PROTOPT_USERPWDCTRL (1<<13) /* Allow "control bytes" (< 32 ascii) in
|
||||||
|
user name and password */
|
||||||
|
|
||||||
#define CONNCHECK_NONE 0 /* No checks */
|
#define CONNCHECK_NONE 0 /* No checks */
|
||||||
#define CONNCHECK_ISDEAD (1<<0) /* Check if the connection is dead. */
|
#define CONNCHECK_ISDEAD (1<<0) /* Check if the connection is dead. */
|
||||||
|
Loading…
Reference in New Issue
Block a user