diff --git a/src/ChangeLog b/src/ChangeLog index 762067f0..f29dd261 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2005-03-05 Hrvoje Niksic + + * url.c (url_file_name): Don't allow hosts named ".." to be + appended as path elements. + 2005-03-03 Hrvoje Niksic * retr.c (retrieve_url): Escape location header. diff --git a/src/url.c b/src/url.c index 7762473f..35399050 100644 --- a/src/url.c +++ b/src/url.c @@ -1454,7 +1454,13 @@ url_file_name (const struct url *u) { if (fnres.tail) append_char ('/', &fnres); - append_string (u->host, &fnres); + if (0 != strcmp (u->host, "..")) + append_string (u->host, &fnres); + else + /* Host name can come from the network; malicious DNS may + allow ".." to be resolved, causing us to write to + "../". Defang such host names. */ + append_string ("%2E%2E", &fnres); if (u->port != scheme_default_port (u->scheme)) { char portstr[24];