moparisthebest/wget
1
0
Fork 0
mirror of https://github.com/moparisthebest/wget synced 2024-07-03 16:38:41 -04:00
Code Issues Releases Wiki Activity

[svn] Fix bogus ".." hosts injecting such components to path.

Browse Source
This commit is contained in:
hniksic 2005-03-05 15:04:05 -08:00
parent b3363d2abd
commit 18acfe8130
2 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/ChangeLog
View File

@ -1,3 +1,8 @@
2005-03-05 Hrvoje Niksic <hniksic@xemacs.org>
* url.c (url_file_name): Don't allow hosts named ".." to be
appended as path elements.
2005-03-03 Hrvoje Niksic <hniksic@xemacs.org>
* retr.c (retrieve_url): Escape location header.

8
src/url.c
View File

@ -1454,7 +1454,13 @@ url_file_name (const struct url *u)
{
if (fnres.tail)
append_char ('/', &fnres);
append_string (u->host, &fnres);
if (0 != strcmp (u->host, ".."))
append_string (u->host, &fnres);
else
/* Host name can come from the network; malicious DNS may
allow ".." to be resolved, causing us to write to
"../<file>". Defang such host names. */
append_string ("%2E%2E", &fnres);
if (u->port != scheme_default_port (u->scheme))
{
char portstr[24];